Runbook: Build Pipeline Compromise
Security SpecialistOperations & StrategyDevOps
Stub runbook. Customize with your CI/CD platform and procedures.
Quick Reference
| Field | Value |
|---|---|
| Typical Severity | P1 |
| Primary Responder | DevOps / Infrastructure SME |
| Last Updated | [Date] |
| Owner | [Name] |
Identification
Symptoms
- Unexpected code in deployed artifacts
- CI/CD configuration changed without approval
- Secrets accessed or exfiltrated
- Unauthorized workflow runs
Confirm Compromise
- Review CI/CD audit logs
- Compare build artifacts to source
- Check for config changes in CI/CD platform
Immediate Actions
- Disable compromised pipelines
- Rotate all secrets and tokens
- Take down potentially compromised deployments
- Audit recent builds and deployments
Mitigation
- Audit CI/CD configuration for unauthorized changes
- Rebuild from trusted commit using clean pipeline
- Implement additional approval requirements
- Review and restrict pipeline permissions
Prevention
- Require approval for CI/CD config changes
- Use short-lived credentials
- Implement branch protection
- Audit pipeline access regularly
- Use signed commits
- Separate build and deploy permissions