Domain 10 / 12
DevOps & Pipeline security audit
Secure the software factory — branch protection, pipeline integrity, credentials and artifact signing.
- 38 checks
- CI/CD · Infrastructure as Code
What securmyapp checks
Inside the DevOps & Pipeline domain
This is the DevOps & Pipeline domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The DevOps & Pipeline domain secures your build and delivery chain against the OWASP Top 10 CI/CD Security Risks. securmyapp verifies branch protection and mandatory review, least-privilege pipeline identities, resistance to Poisoned Pipeline Execution (PPE), CI/CD credential hygiene, artifact integrity and signing, and audit logging across your SCM and build systems.
Coverage areas
38 atomic checks span these sub-domains.
Flow control
Branch protection, mandatory reviews, no admin bypass, signed commits.
Identity & access
Least-privilege human and machine identities (CICD-SEC-2).
Pipeline integrity
Anti-PPE controls and scoped job permissions (CICD-SEC-4/5).
Credential hygiene
Temporary, non-shared, non-exposed CI/CD secrets.
Artifact integrity
Signing and verification with Sigstore/Cosign (CICD-SEC-9).
Visibility
CI/CD audit logging and SIEM export (CICD-SEC-10).
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Branch protection & mandatory review | High | Weak flow control: no protection, no review, admin bypass. | CICD-SEC-1 · NIST SA-15 |
| Anti Poisoned Pipeline Execution (PPE) | High | Pipeline configs modifiable without review (SolarWinds-style). | CICD-SEC-4 · MITRE T1195 |
| Least privilege for CI/CD identities | High | Over-privileged human and machine identities. | CICD-SEC-2 · NIST AC-6 |
| CI/CD credential hygiene | High | Exposed or long-lived, shared pipeline secrets. | CICD-SEC-6 · NIST IA-5 |
| Artifact integrity validation | High | Unsigned or unverified build artifacts. | CICD-SEC-9 · SLSA |
| Pipeline permission scope (PBAC) | High | Jobs granted more permission than they need. | CICD-SEC-5 · NIST AC-6 |
Vulnerabilities we catch
- Unprotected branches and merges without mandatory review
- Poisoned Pipeline Execution through editable CI config
- Over-privileged CI/CD identities and job permissions
- Long-lived, shared or exposed pipeline credentials
- Unsigned artifacts and builds without provenance
- CI/CD logging blind spots with no SIEM export
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
DevOps & Pipeline — questions & answers
Which framework does this domain follow?
The OWASP Top 10 CI/CD Security Risks (CICD-SEC-1 through 10), complemented by SLSA for build provenance and NIST controls for identity and logging.
What is Poisoned Pipeline Execution?
PPE is when an attacker who can edit pipeline configuration gains code execution in the build environment. securmyapp checks that pipeline definitions cannot be changed without review — the defense that would have blunted SolarWinds-style attacks.
Does it check artifact signing?
Yes. It verifies artifacts and images are signed and verified (Sigstore/Cosign) so a swapped or tampered artifact cannot slip into delivery.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.