What are the main threats to CI/CD pipelines identified by NSA and CISA?

The NSA and CISA highlight threats such as insecure code, poisoned pipeline execution, insufficient access controls, insecure system configuration, risks from third-party services, and exposure of secrets. These threats can lead to unauthorized access, data breaches, and compromised software builds.

How does Akeyless help align CI/CD pipeline security with NSA and CISA guidance?

Akeyless centralizes secrets management, enforces strict access controls, automates credential rotation, and integrates with identity providers. These capabilities help organizations meet NSA and CISA recommendations for secure authentication, least-privilege access, and robust secrets protection throughout the CI/CD lifecycle.

What is the role of secrets management in CI/CD pipeline security?

Secrets management is critical for protecting sensitive information such as API keys, credentials, and encryption keys within CI/CD pipelines. Akeyless provides secure storage, encryption, and access controls, ensuring secrets are not exposed in code, logs, or configuration files.

How does Akeyless automate secret rotation in CI/CD pipelines?

Akeyless automates the rotation of keys and credentials across databases, cloud providers, and on-premise systems. This reduces the risk of long-term credential exposure and aligns with NSA guidance for minimizing credential lifespan.

What is Distributed Fragments Cryptography™ (DFC) and how does it secure CI/CD pipelines?

DFC™ is Akeyless's patented cryptographic approach that divides and randomizes encryption keys across separate environments. This ensures that no third party, including Akeyless, can access the full key, mitigating full-key exposure risks and complying with NSA cryptographic recommendations.

How does Akeyless support Zero Trust principles in CI/CD pipeline security?

Akeyless enforces Zero Trust by providing granular permissions, Just-in-Time access, and dynamic secrets. This minimizes standing privileges and ensures secrets are only accessible when needed, reducing the risk of unauthorized access.

What are dynamic secrets and how do they enhance CI/CD pipeline security?

Dynamic secrets are short-lived credentials generated for each session or task. Akeyless automatically revokes these secrets after use, reducing the risk associated with long-term credentials and aligning with NSA/CISA recommendations.

How does Akeyless prevent secrets exposure in CI/CD pipelines?

Akeyless ensures secrets are never exposed in logs or configuration files and encrypts them at rest and in transit. Access controls and integration with identity providers further reduce the risk of secrets exposure.

What access control features does Akeyless provide for CI/CD pipelines?

Akeyless offers role-based access control, integration with identity providers, and least-privilege policies. These features ensure only authorized users can access secrets, reducing the risk of unauthorized modifications or breaches.

How does Akeyless integrate with third-party services in CI/CD pipelines?

Akeyless seamlessly integrates with third-party services, ensuring secure management of secrets associated with these services. This reduces the risk of data breaches and unauthorized access from compromised third-party tools.

What is active hardening in the context of CI/CD pipeline security?

Active hardening refers to the proactive implementation and reinforcement of security protocols, such as cryptography, credential rotation, access controls, and network segmentation, to minimize vulnerabilities in CI/CD pipelines.

How does Akeyless support audit logging and compliance in CI/CD pipelines?

Akeyless provides detailed audit logs for all secret usage and access events, supporting compliance with NSA, CISA, and industry regulations. This enables organizations to maintain transparency and accountability in their CI/CD processes.

What are some real-world threat scenarios in CI/CD pipelines?

Examples include attackers acquiring developer credentials to access source code repositories, supply chain compromise of application libraries or CI/CD environments, and injection of malicious code or dependencies. Planning for these scenarios helps organizations implement effective safeguards.

How does Akeyless help mitigate supply chain risks in CI/CD pipelines?

Akeyless enforces strict access controls, integrates with identity providers, and automates secrets rotation, reducing the risk of supply chain compromise and unauthorized code changes in CI/CD environments.

What is the importance of least-privilege policies in CI/CD pipeline security?

Least-privilege policies ensure users only have access to the resources necessary for their roles, reducing the risk of unauthorized access or malicious activity in CI/CD pipelines. Akeyless supports these policies through granular access controls.

How does Akeyless support secure cryptography in CI/CD pipelines?

Akeyless uses NSA-recommended cryptographic algorithms and protocols, including its patented DFC™ technology, to safeguard sensitive pipeline information and ensure compliance with industry standards.

What is the benefit of integrating security scanning into CI/CD pipelines?

Integrating security scanning helps identify vulnerabilities, restrict untrusted libraries, analyze committed code, and remove temporary resources, boosting the overall security of CI/CD pipelines. Akeyless supports these practices through its platform integrations.

How does Akeyless help organizations maintain up-to-date CI/CD environments?

Akeyless supports automated credential rotation and integration with CI/CD tools, helping organizations keep their environments up-to-date and secure against evolving threats.

What is the impact of Akeyless on CI/CD pipeline security and compliance?

Akeyless streamlines compliance with NSA and CISA guidelines, enhances security through centralized secrets management, and provides audit trails for regulatory requirements, giving organizations peace of mind and operational efficiency.

What are the key features of Akeyless for CI/CD pipeline security?

Key features include centralized secrets management, dynamic and rotated secrets, automated credential rotation, role-based access control, integration with identity providers, Zero Trust Access, and patented DFC™ cryptography.

Does Akeyless support integration with CI/CD tools?

Yes, Akeyless supports integration with CI/CD tools such as TeamCity, Jenkins, and others, enabling secure secrets management within automated pipelines.

What SDKs are available for integrating Akeyless into CI/CD workflows?

Akeyless offers SDKs for Ruby, Python, and Node.js, allowing developers to integrate secrets management into CI/CD workflows programmatically.

How does Akeyless support Kubernetes environments?

Akeyless integrates with Kubernetes platforms such as OpenShift and Rancher, providing secure secrets management for containerized CI/CD workflows.

What technical documentation is available for implementing Akeyless?

Akeyless provides comprehensive technical documentation and tutorials, including API docs and step-by-step guides, to assist with implementation and troubleshooting.

Does Akeyless provide an API for secrets management?

Yes, Akeyless offers a robust API for its secrets management platform, with documentation available for developers to integrate and automate secrets workflows.

What compliance certifications does Akeyless hold?

Akeyless holds certifications including SOC 2 Type II, ISO 27001, FIPS 140-2, PCI DSS, CSA STAR, and DORA compliance, demonstrating its commitment to security and regulatory standards.

How does Akeyless ensure data privacy?

Akeyless adheres to strict data privacy standards, as outlined in its Privacy Policy and CCPA Privacy Notice, ensuring customer data is protected and compliant with regulations.

Who can benefit from using Akeyless for CI/CD pipeline security?

IT security professionals, DevOps engineers, compliance officers, and platform engineers in industries such as technology, manufacturing, finance, healthcare, retail, and software development can benefit from Akeyless's solutions.

What business impact can organizations expect from using Akeyless?

Organizations can expect enhanced security, operational efficiency, cost savings (up to 70% reduction in maintenance and provisioning time), scalability, compliance, and improved collaboration between teams.

Can you share specific customer success stories with Akeyless?

Yes. For example, Cimpress reported a 270% increase in user adoption after switching to Akeyless, and Progress achieved a 70% reduction in maintenance time. Constant Contact and Wix also improved security and operational efficiency using Akeyless.

What industries are represented in Akeyless case studies?

Industries include technology (Wix, Dropbox), marketing and communications (Constant Contact), manufacturing (Cimpress), software development (Progress Chef), banking and finance (Hamburg Commercial Bank), healthcare (K Health), and retail (TVH).

How does Akeyless compare to HashiCorp Vault for CI/CD pipeline security?

Akeyless uses a vaultless architecture, eliminating heavy infrastructure and reducing costs. It offers SaaS-based deployment, faster implementation, and advanced features like Universal Identity and automated credential rotation.

How does Akeyless compare to AWS Secrets Manager for CI/CD pipeline security?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse platforms, and provides advanced features like automated secrets rotation and Zero Trust Access, making it more flexible for organizations using multiple cloud providers.

How does Akeyless compare to CyberArk Conjur for CI/CD pipeline security?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, reducing operational complexity and costs. It also offers seamless integration with DevOps tools and supports scalable cloud-native deployments.

How long does it take to implement Akeyless for CI/CD pipeline security?

Akeyless's cloud-native SaaS platform allows for deployment in just a few days, with minimal technical expertise required and proactive support available throughout onboarding.

What onboarding resources are available for new Akeyless users?

Resources include platform demos, self-guided product tours, tutorials, technical documentation, 24/7 support, and a Slack support channel for troubleshooting and guidance.

How easy is it to start using Akeyless for CI/CD pipeline security?

Akeyless offers an intuitive interface, pre-configured workflows, and comprehensive onboarding resources, making it easy for teams to get started without extensive technical expertise.

What support options are available for Akeyless customers?

Akeyless provides 24/7 support, a Slack support channel, and access to technical documentation and tutorials to assist customers during setup and ongoing use.

When was this page last updated?

This page wast last updated on 12/12/2025 .

Aligning CI/CD Pipeline Security with NSA & CISA Guidance

Posted by Anne-Marie Avalon
July 13, 2023

Securing the Backbone of Software Development with Secrets Management

CI/CD pipelines, the lifeblood of today’s software development, are becoming increasingly crucial for organizations of all sizes. However, the strength of this backbone hinges on the security we wrap around it. That’s where the heart of our blog post, “Aligning CI/CD Pipeline Security with the NSA & CISA Guidance,” lies.

In this post, we’ll dissect the recent NSA and CISA guidelines and reveal how to align your CI/CD pipeline security with their advice. Additionally, we’ll spotlight the critical role of managing secrets within your pipelines. You’ll learn how SaaS Secrets Management is a significant game-changer in this endeavor.

Before we dive into the deep end, it would be useful to acquaint ourselves with a few key terms in the CI/CD pipeline security.

CI/CD & DevSecOps: A Shared Lexicon

To ensure clarity and comprehension, let’s kick off by defining a few key terms:

CI/CD Pipeline: This is a component of a broader toolchain that includes continuous integration, version control, automated testing, delivery, and deployment. It automates the integration and delivery of applications and allows organizations to deploy applications swiftly and efficiently.
Development Operations (DevOps): This is a set of practices that merges software development and information technology (IT) operations. The primary goal of DevOps is to shorten the systems development lifecycle, thereby facilitating continuous delivery with high software quality.

DevSecOps: An evolution of DevOps, DevSecOps incorporates elements of development (Dev), security (Sec), and operations (Ops) in the software systems process. This integrated approach considerably reduces the time from identifying a need to the availability of the capability. As a result, it supports continuous integration and continuous delivery (CI/CD) while maintaining a high standard of software quality.

Malicious Cyber Actors (MCAs): These are the proverbial wolves in the digital landscape. They engage in unauthorized access, data breaches, or system disruptions, often targeting CI/CD pipelines.

Threat Landscape: Knowing Your Digital Adversaries

The NSA and CISA have pointed out several common threats that organizations should be alert to:

Insecure Code: MCAs can exploit code vulnerabilities to gain unauthorized access or execute malicious activities.
Poisoned Pipeline Execution: The insertion of malicious code or unauthorized changes into the CI/CD pipeline, resulting in compromised software builds or deployments.
Insufficient Pipeline Access Controls: Weak or improperly configured access controls may allow unauthorized individuals to manipulate the pipeline.
Insecure System Configuration: Poorly secured or misconfigured CI/CD infrastructure components might be exploited by MCAs.
Usage of Third-Party Services: Insecure or compromised third-party services integrated into the CI/CD pipeline could lead to data breaches or unauthorized access.
Exposure of Secrets: The accidental exposure or insecure management of sensitive information, such as API keys, credentials, or encryption keys.

Understanding these threats and counteracting them with appropriate security measures is crucial for any organization. Having looked at the threats, it’s time we turn our attention to some of the scenarios where they play out.

Threat Scenarios

To comprehend the real-world implications of the above threats, CISA and the NSA listed possible scenarios within the CI/CD pipeline to consider:

Scenario 1: MCAs acquire a developer’s credentials to access a Git repository service. These credentials could be in the form of stolen personal tokens, SSH keys, browser cookies, or login passwords. An MCA typically targets one of three things: Valid accounts for a source code repository, valid accounts for a CI/CD Service, or valid admin accounts for a server hosting a source code repository.

Scenario 2: Supply chain compromise of an application library, tool, or container image in a CI/CD pipeline leads to a poisoned DevSecOps environment.

Scenario 3: Supply chain compromise of a CI/CD environment that modifies the CI/CD configuration, injects code into the Infrastructure as Code (IaC) configuration, injects code into the source code, or injects a malicious or vulnerable dependency.

By planning for these scenarios, organizations can devise appropriate safeguards to minimize the impact of potential attacks.

Now, armed with the knowledge of possible scenarios, let’s examine how we can shield ourselves against these threats.

Strengthening the Defenses: Active Hardening

Active hardening refers to the proactive implementation and constant reinforcement of security protocols aimed at minimizing vulnerabilities and mitigating potential threats in the CI/CD pipeline. Following NSA and CISA’s guidance, let’s explore active hardening measures:

Authentication and Access Mitigations

Use NSA-Recommended Cryptography:
Employ cryptographic algorithms and protocols endorsed by the NSA to safeguard sensitive pipeline information.
Minimize Long-Term Credential Usage:
Favor short-lived credentials or tokens that are automatically rotated and revoked to limit exposure.
Digitally Sign and Verify CI/CD Configuration:
Digitally signing and verifying guarantees the pipeline configuration’s integrity and authenticity, preventing unauthorized modifications.
Two-Person Rule for Code Updates:
Ensure changes are reviewed and approved by multiple individuals, reducing the risk of unauthorized or malicious code modifications.
Least-Privilege Policies for CI/CD Access:
Regularly review and update access permissions to prevent unauthorized access, and ensure that employees only have access to what they need to do their jobs.
Secure User Accounts:
Implement strong password policies, enforce regular password rotations, and monitor user account activities.
Secure Secrets:
Implement robust secrets management practices, including secure storage, encryption, and access controls for API keys, credentials, or encryption keys.
Implement Network Segmentation and Traffic Filtering:
Prevent lateral movement and restrict the impact of potential breaches.

By adopting these active hardening measures, organizations can create a resilient defense for their CI/CD pipelines. To further broaden these measures, the NSA and CISA also suggest several specific steps to harden the development environment and process and protect it against cyber threats.

Development Environment Mitigations

NSA and CISA proposed specific measures for the development environment:

Maintain up-to-date software and operating systems
Keep CI/CD tools up-to-date
Remove unnecessary applications
Implement Endpoint Detection and Response (EDR) tools

Development Process Mitigations

Integrate security scanning as part of the CI/CD pipeline
- Restrict untrusted libraries and tools
- Analyze committed code
- Remove any temporary resources
Keep audit logs
Implement Software Bill of Materials (SBOM) and Software Composition Analysis (SCA)
Plan, build and test for resiliency

These mitigations can substantially boost the security of CI/CD pipelines, ensuring the integrity of software builds and deployments.

Summing up, NSA and CISA guidelines stress the urgent need for active hardening and development environment and process mitigations to fortify CI/CD pipelines. These measures are crucial in today’s high-risk cyber environment. However, fully implementing these complex guidelines can prove to be a significant challenge.

This is where Akeyless fits in. Its Secrets Management solution streamlines compliance with these guideline’s recommendations. In our next section, we’ll examine how Akeyless Secrets Management solution simplifies adherence to these protocols, without compromising on security, providing an effective tool for safeguarding your CI/CD pipelines.

Akeyless Secrets Management: Aligning CI/CD Pipeline Security with NSA & CISA Guidance

Akeyless Secrets Management aligns with NSA and CISA’s guidance, providing a centralized platform for managing secrets throughout the CI/CD pipeline lifecycle. These are just some of the ways Akeyless Secrets Management can enhance your CI/CI pipeline security:

Enhancing Security in Insecure Code and System Configuration

By centralizing the storage and access of secret keys, Akeyless mitigates the risk of unauthorized access due to code vulnerabilities. The use of dynamic secrets further reduces the risk by minimizing the lifespan of secrets. Additionally, Akeyless provides a unified platform to manage the configuration of secrets across different environments, thus ensuring a secure and consistent configuration steeped in Zero Trust.

Preventing Poisoned Pipeline Execution and Unauthorized Access

By enforcing strict access control policies and integrating with identity providers, Akeyless ensures that only authorized individuals have access to secrets. It also enables role-based access control, which limits the permissions granted to each user, reducing the potential damage in case of a security breach. In the case of a poisoned pipeline, the integration of Akeyless with CI/CD tools ensures that only verified and authorized code changes are made, thus preventing the insertion of malicious code.

Securing Third-Party Services and Protecting Secrets Exposure

As organizations increasingly rely on third-party services, the secure management of secrets associated with these services is paramount. Akeyless’ ability to seamlessly integrate with these services provides an additional layer of security. With Akeyless, secrets are never exposed in logs or config files and are encrypted at rest and in transit, reducing the risk of secrets exposure. Furthermore, Akeyless uses just-in-time access and offers Secure Remote Access, ensuring that secrets are only accessible when needed, thereby reducing the risk of exposure.

Automating Secret Rotation

Akeyless automated secrets rotation feature bolsters the security of CI/CD pipelines, aligning with NSA’s guidelines. It automates the rotation of keys and credentials across a diverse range of environments, from databases and cloud service providers to on-premise systems, without IT overhead. Furthermore, this rotation seamlessly integrates into existing development pipelines, ensuring only up-to-date credentials are in use.

Enabling Temporary Dynamic Secrets

Embracing the principles of Zero Trust, Akeyless can manage secrets by assigning unique credentials for each session or task, thereby nullifying risks associated with long-term credentials. Following task completion, these secrets are automatically revoked, limiting potential damage from unauthorized access. This strategy of ephemeral, short-lived secrets significantly bolsters your security posture in the face of potential cyber threats.

Securing Cryptography through DFC™ Technology

At the heart of Akeyless cryptographic system is the Distributed Fragments Cryptography (DFC™) approach, which divides and randomizes encryption keys in separate environments, ensuring that no entity besides the organization possesses the full key. Compliant with the NSA’s guidance on cryptographic protocols, DFC adds an extra layer of protection to your secrets storage, effectively mitigating full-key exposure risk. This innovative cryptographic strategy, underpinned by Zero Trust principles, fortifies your CI/CD pipeline’s security, ensuring the trustworthiness of your software delivery process.

Conclusion

We’ve sifted through NSA and CISAs’ guidelines and have seen firsthand the looming threats to our CI/CD pipelines. And we’ve reviewed active hardening and mitigation strategies in the development environment to fortify cyber defenses. Through this exploration, we discovered Akeyless Secrets Management is a standout centralized platform for managing secrets during the CI/CD pipeline lifecycle.

Akeyless boosts security in code and system configurations. It blocks poisoned pipeline execution and unauthorized access. It even strengthens third-party services, guarding against secrets exposure.

We get it.

You are the gatekeeper of your organization’s digital assets. You want to be proactive with threats, not reactive. Akeyless offers that peace of mind. It combines solid security and ease of use. You can focus on managing your pipelines securely and aligning with NSA and CISA guidance; leaving you free to do what you do best, adding value to your organization.

Don’t wait for a security incident to take action. Securing your CI/CD pipelines is crucial. Take control of your digital assets now. Let Akeyless guide you in building a sturdy, future-ready CI/CD pipeline. One that aligns with the best industry advice.

Table of Contents

Frequently Asked Questions

CI/CD Pipeline Security & NSA/CISA Guidance