dpndncY
CI/CD Pipeline Security
Harden the pipeline
close the poisoned path.

Static analysis of your pipeline definitions across six CI platforms — mapped to the OWASP Top 10 CI/CD risks, with concrete remediation on every finding.

Pillar · Scan

What it does

6 CI platforms

GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, CircleCI and Bitbucket pipeline definitions parsed and analysed.

6 platforms

Poisoned-pipeline detection

pull_request_target checking out untrusted PR code, install steps in privileged context, self-hosted runners exposed to pull-request execution.

PPEUntrusted checkout

Token + OIDC hygiene

Write-all / over-scoped GITHUB_TOKEN, OIDC minting outside isolated release jobs, and unpinned action SHAs.

Least-privilegePinned SHAs

Exfil + supply-chain steps

curl|bash remote-shell steps, SSRF to cloud-metadata endpoints, and cache / artifact trust-boundary crossings.

Remote-shellMetadata SSRF
6
CI platforms
10
OWASP CI/CD risks

One platform. On your infrastructure.
Every decision signed and verifiable.