owasp-cicd-top-10
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOWASP Top 10 CI/CD Security Risks
OWASP Top 10 CI/CD安全风险
This skill encodes the OWASP Top 10 CI/CD Security Risks for secure pipeline design and review. References are loaded per risk. Based on OWASP Top 10 CI/CD Security Risks 2022.
本技能整合了OWASP Top 10 CI/CD安全风险内容,用于安全流水线的设计与评审。每个风险都配有参考资料,基于2022版OWASP Top 10 CI/CD安全风险标准。
When to Read Which Reference
何时查阅对应参考资料
| Risk | Read |
|---|---|
| CICD-SEC-1 Insufficient Flow Control | references/cicd-sec-1-flow-control.md |
| CICD-SEC-2 Inadequate IAM | references/cicd-sec-2-iam.md |
| CICD-SEC-3 Dependency Chain Abuse | references/cicd-sec-3-dependency-chain-abuse.md |
| CICD-SEC-4 Poisoned Pipeline Execution | references/cicd-sec-4-poisoned-pipeline-execution.md |
| CICD-SEC-5 Insufficient PBAC | references/cicd-sec-5-pbac.md |
| CICD-SEC-6 Insufficient Credential Hygiene | references/cicd-sec-6-credential-hygiene.md |
| CICD-SEC-7 Insecure System Configuration | references/cicd-sec-7-insecure-system-config.md |
| CICD-SEC-8 Ungoverned 3rd Party Services | references/cicd-sec-8-third-party-services.md |
| CICD-SEC-9 Improper Artifact Integrity Validation | references/cicd-sec-9-artifact-integrity.md |
| CICD-SEC-10 Insufficient Logging and Visibility | references/cicd-sec-10-logging-visibility.md |
| 风险项 | 查阅链接 |
|---|---|
| CICD-SEC-1 流量控制不足 | references/cicd-sec-1-flow-control.md |
| CICD-SEC-2 IAM配置不当 | references/cicd-sec-2-iam.md |
| CICD-SEC-3 依赖链滥用 | references/cicd-sec-3-dependency-chain-abuse.md |
| CICD-SEC-4 恶意流水线执行 | references/cicd-sec-4-poisoned-pipeline-execution.md |
| CICD-SEC-5 PBAC配置不足 | references/cicd-sec-5-pbac.md |
| CICD-SEC-6 凭证管理不当 | references/cicd-sec-6-credential-hygiene.md |
| CICD-SEC-7 系统配置不安全 | references/cicd-sec-7-insecure-system-config.md |
| CICD-SEC-8 第三方服务未管控 | references/cicd-sec-8-third-party-services.md |
| CICD-SEC-9 制品完整性验证不当 | references/cicd-sec-9-artifact-integrity.md |
| CICD-SEC-10 日志与可见性不足 | references/cicd-sec-10-logging-visibility.md |
Quick Patterns
快速实践方案
- Enforce approval and branching for pipeline execution; apply least-privilege IAM. Verify dependency and artifact integrity; secure credentials; audit third-party usage; enable logging and alerting.
- 强制流水线执行的审批与分支规则;应用最小权限IAM策略。验证依赖与制品完整性;保护凭证安全;审计第三方服务使用情况;启用日志与告警机制。
Quick Reference / Examples
快速参考/示例
| Task | Approach |
|---|---|
| Protect main branch | Require PR reviews, signed commits, branch protection. See CICD-SEC-1. |
| Secure pipeline IAM | Least privilege, short-lived tokens, no shared creds. See CICD-SEC-2. |
| Verify dependencies | Lock versions, audit, verify checksums. See CICD-SEC-3. |
| Protect credentials | Use secrets manager, rotate, never log. See CICD-SEC-6. |
| Sign artifacts | Sign images/packages, verify before deploy. See CICD-SEC-9. |
Safe - GitHub branch protection:
yaml
undefined| 任务 | 实施方法 |
|---|---|
| 保护主分支 | 要求PR评审、签名提交、分支保护。详见CICD-SEC-1。 |
| 安全流水线IAM | 最小权限、短期令牌、不使用共享凭证。详见CICD-SEC-2。 |
| 验证依赖 | 锁定版本、审计、校验哈希值。详见CICD-SEC-3。 |
| 保护凭证 | 使用密钥管理器、定期轮换、绝不记录凭证。详见CICD-SEC-6。 |
| 签名制品 | 对镜像/包进行签名,部署前验证。详见CICD-SEC-9。 |
安全示例 - GitHub分支保护:
yaml
undefined.github/settings.yml (or repo settings)
.github/settings.yml(或仓库设置)
branches:
- name: main protection: required_pull_request_reviews: required_approving_review_count: 1 required_status_checks: strict: true
**Safe - short-lived OIDC credentials (GitHub Actions):**
```yaml
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
aws-region: us-east-1Unsafe - long-lived secrets:
yaml
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY }} # Prefer OIDC over static keysbranches:
- name: main protection: required_pull_request_reviews: required_approving_review_count: 1 required_status_checks: strict: true
**安全示例 - 短期OIDC凭证(GitHub Actions):**
```yaml
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
aws-region: us-east-1不安全示例 - 长期密钥:
yaml
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY }} # 优先使用OIDC而非静态密钥Workflow
工作流程
Load the reference for the risk you are addressing. See OWASP Top 10 CI/CD Security Risks for the official list.
针对你要处理的风险项加载对应参考资料。官方列表可查看OWASP Top 10 CI/CD安全风险。