Pipeline Security

Pipeline Security

Overview

Pipeline Security protects your CI/CD pipelines from runtime threats by monitoring behavior and enforcing security policies during build execution. Using Endura’s Runtime Sensor, you can detect and prevent malicious activity before it compromises your builds, steals credentials, or injects malware into your software.

What is a Pipeline Threat?

A pipeline threat is any compromised third-party component, tool, or service that your pipeline uses at runtime. Modern CI/CD pipelines depend on extensive external resources:

  • Dependencies: NPM packages, PyPI modules, Maven artifacts, container base images
  • Build tools: Compilers, linters, test frameworks, code generators
  • Plugins and integrations: CI/CD platform plugins, notification services, deployment tools
  • External services: Package registries, artifact repositories, cloud APIs

Any of these components can be compromised through supply chain attacks, account takeovers, or malicious updates. When a compromised component executes in your pipeline, it runs with the same permissions as your build process—giving it access to source code, secrets, credentials, and deployment infrastructure.

Attack Scenarios

Pipeline threats enable a range of attacks:

Credential Theft

Malicious code extracts secrets, API keys, cloud credentials, or signing certificates from the build environment and exfiltrates them to attacker-controlled servers. These credentials can then be used to access production systems, cloud accounts, or code signing infrastructure.

Malware Injection

Compromised dependencies or tools inject malicious code into your build artifacts. This malware then propagates to your customers when they install or run your software, turning your organization into an unwitting distribution vector for attacks.

Source Code Exfiltration

Attackers steal proprietary source code, intellectual property, or sensitive business logic by copying repository contents during the build process.

Lateral Movement

Build pipelines often have access to deployment infrastructure, container registries, and production systems. Attackers can use compromised pipelines as a pivot point to access these downstream systems.

Cryptomining and Resource Abuse

Malicious code hijacks build infrastructure for cryptocurrency mining or other resource-intensive operations, degrading build performance and increasing infrastructure costs.

How Endura Protects Pipelines

Endura’s Runtime Sensor monitors pipeline execution at the kernel level using eBPF, providing visibility into:

  • Process execution: What programs run during the build
  • File system access: Which files are read, written, or modified
  • Network connections: What external hosts the build communicates with
  • Capabilities and permissions: What privileged operations are attempted

Security policies define expected pipeline behavior. When the Sensor detects activity that violates the policy—such as an unexpected network connection, unauthorized file access, or suspicious process execution—it can log the violation or block the operation entirely.

Policy-Based Enforcement

Endura uses a three-phase approach to policy development:

  1. Derive: Run builds with monitoring enabled to automatically generate a baseline policy from observed behavior
  2. Observe: Apply the policy in audit mode to identify violations without blocking operations, allowing you to refine the policy
  3. Enforce: Enable active enforcement to block unauthorized operations and fail builds when violations occur

This workflow allows you to create precise, tailored policies for each pipeline without disrupting existing builds during the rollout process.

Getting Started

To implement Pipeline Security:

  1. Deploy Team Server to manage policies and collect telemetry (Team Server)
  2. Install the Runtime Sensor on your CI/CD build infrastructure (Runtime Sensor)
  3. Configure your CI/CD platform to integrate with Endura (Configuration)
  4. Create and refine policies for your pipelines (Security Policies)