Static analysis of your pipeline definitions across six CI platforms — mapped to the OWASP Top 10 CI/CD risks, with concrete remediation on every finding.
What it does
6 CI platforms
GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, CircleCI and Bitbucket pipeline definitions parsed and analysed.
Poisoned-pipeline detection
pull_request_target checking out untrusted PR code, install steps in privileged context, self-hosted runners exposed to pull-request execution.
Token + OIDC hygiene
Write-all / over-scoped GITHUB_TOKEN, OIDC minting outside isolated release jobs, and unpinned action SHAs.
Exfil + supply-chain steps
curl|bash remote-shell steps, SSRF to cloud-metadata endpoints, and cache / artifact trust-boundary crossings.
Four CO-RE eBPF programs hook connect, exec, file-open and DNS on your CI runners, correlate every event to the workflow step that caused it, and — in enforce mode — actively deny non-allowlisted egress.
Multi-signal decisioning at admission time. Risky packages are rejected before they enter node_modules, site-packages or your local Maven repo — with a signed record of exactly why.
A proprietary interprocedural taint engine across 24 languages, tracking user input from source through sanitiser to sink with a per-finding data-flow trace. Confidence-tiered, so the noise doesn't bury the real bugs.