Secure Workflow Guide

Secure Workflow Guide is a community skill for designing and implementing secure development workflows, covering CI/CD pipeline security, branch protection, artifact signing, access controls, and deployment safeguards for software delivery processes.

What Is This?

Overview

Secure Workflow Guide provides practices for building secure software delivery pipelines from code commit to production deployment. It covers CI/CD pipeline security that hardens build systems against supply chain attacks and unauthorized modifications, branch protection that enforces review requirements and status checks before code merges to protected branches, artifact signing that verifies the integrity and provenance of build outputs through cryptographic signatures, access controls that implement least-privilege permissions for pipeline service accounts and deployment credentials, and deployment safeguards that enforce staged rollouts with automated rollback capabilities. The skill helps teams ship software securely.

Who Should Use This

This skill serves DevOps engineers hardening CI/CD pipelines, security teams establishing secure development policies, and platform teams building deployment infrastructure with built-in protections.

Why Use It?

Problems It Solves

Unprotected CI/CD pipelines can be exploited to inject malicious code into build artifacts. Overly permissive access controls allow unauthorized changes to production environments. Missing artifact verification allows tampered builds to reach deployment. Manual deployment processes introduce human error and lack audit trails.

Core Highlights

Pipeline hardener secures CI/CD systems against supply chain attacks. Branch protector enforces review and status check requirements. Artifact signer verifies build integrity with cryptographic signatures. Deployment guardrail implements staged rollouts with rollback triggers.

How to Use It?

Basic Usage

name: Secure Build
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  contents: read
  packages: write

jobs:
  security-checks:
    runs-on: ubuntu-latest
    steps:
      - uses:
          actions/checkout@v4
      - name: Secret scan
        uses:
          trufflesecurity/\
          trufflehog@main
        with:
          extra_args: >
            --only-verified
      - name: Dep audit
        run: |
          pip install\
            pip-audit
          pip-audit -r\
            requirements.txt
      - name: SAST
        uses:
          returntocorp/\
          semgrep-action@v1

  build:
    needs: security-checks
    runs-on: ubuntu-latest
    steps:
      - uses:
          actions/checkout@v4
      - name: Build image
        run: |
          docker build\
            -t app:$SHA .
      - name: Sign image
        run: |
          cosign sign\
            app:$SHA

Real-World Examples

import subprocess
import json

class DeploymentGate:
  def __init__(
    self,
    checks: list[str]
  ):
    self.checks = checks
    self.results = {}

  def run_check(
    self, name: str,
    cmd: list[str]
  ) -> bool:
    result = subprocess.run(
      cmd,
      capture_output=True,
      text=True)
    passed = (
      result.returncode
      == 0)
    self.results[name] = {
      'passed': passed,
      'output':
        result.stdout}
    return passed

  def evaluate(
    self
  ) -> dict:
    all_pass = all(
      r['passed']
      for r in
      self.results
      .values())
    return {
      'deploy_allowed':
        all_pass,
      'results':
        self.results}

gate = DeploymentGate(
  ['tests', 'security',
   'lint'])
gate.run_check(
  'tests',
  ['pytest', '--tb=short'])
gate.run_check(
  'security',
  ['pip-audit', '-r',
   'requirements.txt'])
gate.run_check(
  'lint',
  ['ruff', 'check', '.'])
verdict = gate.evaluate()
if verdict[
  'deploy_allowed'
]:
  print('Deploy approved')
else:
  print('Deploy blocked')

Advanced Tips

Pin all CI/CD action versions to specific commit SHAs rather than tags to prevent supply chain attacks through tag manipulation. Use OpenID Connect for cloud provider authentication in pipelines instead of long-lived credentials. Implement deployment windows that restrict production changes to approved time periods.

When to Use It?

Use Cases

Configure branch protection rules requiring security scan approval before merging to the main branch. Set up a deployment gate that blocks releases when dependency vulnerabilities are detected. Implement artifact signing to verify container image integrity before production deployment.

Related Topics

CI/CD security, DevSecOps, supply chain security, branch protection, artifact signing, deployment automation, and access control.

Important Notes

Requirements

CI/CD platform such as GitHub Actions, GitLab CI, or Jenkins for pipeline automation. Version control system with branch protection support for enforcing merge requirements. Signing tools such as cosign or GPG for artifact verification workflows.

Usage Recommendations

Do: enforce the principle of least privilege for all service accounts and pipeline credentials. Require multiple approvals for changes to pipeline configuration files. Log all deployment actions with timestamps and actor identities for audit purposes.

Don't: store deployment credentials as plain text in pipeline configuration files. Skip security checks in pipelines to speed up builds since this defeats the purpose of automated gates. Grant pipeline service accounts write access beyond what each step specifically requires.

Limitations

Pipeline security controls cannot prevent all supply chain attacks, especially those targeting upstream dependencies. Branch protection rules can be bypassed by repository administrators, requiring organizational policy enforcement. Artifact signing verifies integrity but does not guarantee the absence of vulnerabilities in the signed artifacts.