Domain 10 / 12

DevOps & Pipeline security audit

Secure the software factory — branch protection, pipeline integrity, credentials and artifact signing.

  • 38 checks
  • CI/CD · Infrastructure as Code

Run the audit See example checks

What securmyapp checks

Inside the DevOps & Pipeline domain

This is the DevOps & Pipeline domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The DevOps & Pipeline domain secures your build and delivery chain against the OWASP Top 10 CI/CD Security Risks. securmyapp verifies branch protection and mandatory review, least-privilege pipeline identities, resistance to Poisoned Pipeline Execution (PPE), CI/CD credential hygiene, artifact integrity and signing, and audit logging across your SCM and build systems.

Coverage areas

38 atomic checks span these sub-domains.

  • Flow control

    Branch protection, mandatory reviews, no admin bypass, signed commits.

  • Identity & access

    Least-privilege human and machine identities (CICD-SEC-2).

  • Pipeline integrity

    Anti-PPE controls and scoped job permissions (CICD-SEC-4/5).

  • Credential hygiene

    Temporary, non-shared, non-exposed CI/CD secrets.

  • Artifact integrity

    Signing and verification with Sigstore/Cosign (CICD-SEC-9).

  • Visibility

    CI/CD audit logging and SIEM export (CICD-SEC-10).

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example DevOps & Pipeline security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Branch protection & mandatory reviewHighWeak flow control: no protection, no review, admin bypass.CICD-SEC-1 · NIST SA-15
Anti Poisoned Pipeline Execution (PPE)HighPipeline configs modifiable without review (SolarWinds-style).CICD-SEC-4 · MITRE T1195
Least privilege for CI/CD identitiesHighOver-privileged human and machine identities.CICD-SEC-2 · NIST AC-6
CI/CD credential hygieneHighExposed or long-lived, shared pipeline secrets.CICD-SEC-6 · NIST IA-5
Artifact integrity validationHighUnsigned or unverified build artifacts.CICD-SEC-9 · SLSA
Pipeline permission scope (PBAC)HighJobs granted more permission than they need.CICD-SEC-5 · NIST AC-6

Vulnerabilities we catch

  • Unprotected branches and merges without mandatory review
  • Poisoned Pipeline Execution through editable CI config
  • Over-privileged CI/CD identities and job permissions
  • Long-lived, shared or exposed pipeline credentials
  • Unsigned artifacts and builds without provenance
  • CI/CD logging blind spots with no SIEM export

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

DevOps & Pipeline — questions & answers

Which framework does this domain follow?

The OWASP Top 10 CI/CD Security Risks (CICD-SEC-1 through 10), complemented by SLSA for build provenance and NIST controls for identity and logging.

What is Poisoned Pipeline Execution?

PPE is when an attacker who can edit pipeline configuration gains code execution in the build environment. securmyapp checks that pipeline definitions cannot be changed without review — the defense that would have blunted SolarWinds-style attacks.

Does it check artifact signing?

Yes. It verifies artifacts and images are signed and verified (Sigstore/Cosign) so a swapped or tampered artifact cannot slip into delivery.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.