{"id":1084,"date":"2025-05-12T00:02:44","date_gmt":"2025-05-12T05:02:44","guid":{"rendered":"https:\/\/stagefoursecurity.com\/blog\/?p=1084"},"modified":"2025-05-12T00:17:17","modified_gmt":"2025-05-12T05:17:17","slug":"ci-cd-supply-chain-security","status":"publish","type":"post","link":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/","title":{"rendered":"CI\/CD Supply Chain Security"},"content":{"rendered":"<article>\n<header>\n<h1>\ud83d\udd17 CI\/CD Supply Chain Security: Guarding the Build Pipeline<\/h1>\n<p><em>By James K. Bishop, vCISO | Founder, <a href=\"https:\/\/stagefoursecurity.com\" target=\"_blank\" rel=\"noopener\">Stage Four Security<\/a><\/em><\/p>\n<\/header>\n<section>\n<h2>\ud83c\udfd7\ufe0f The Build Pipeline Is an Attack Surface<\/h2>\n<p><a href=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignright wp-image-1097\" src=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-300x200.png\" alt=\"\" width=\"400\" height=\"267\" srcset=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-300x200.png 300w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-1024x683.png 1024w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-768x512.png 768w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png 1536w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a>CI\/CD pipelines are the backbone of modern software delivery\u2014but they\u2019re also prime targets for attackers. A compromised pipeline can silently inject malicious code, exfiltrate secrets, or alter production artifacts. With open source tools, public dependencies, and third-party integrations everywhere, securing your CI\/CD process is just as critical as securing your runtime environment.<\/p>\n<p>This post examines the most common threats to CI\/CD integrity and how to secure each stage of your pipeline\u2014from code commit to artifact delivery.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udea8 Real Threats to the Pipeline<\/h2>\n<ul>\n<li><strong>Credential leakage:<\/strong> API keys or signing secrets committed to code, injected into environment variables, or echoed to logs.<\/li>\n<li><strong>Poisoned builds:<\/strong> Malicious dependencies or tampered scripts altering the resulting binary or container.<\/li>\n<li><strong>Unverified inputs:<\/strong> Ingesting untrusted PRs, packages, or unsigned commits without validation.<\/li>\n<li><strong>Build hijacking:<\/strong> Attacker compromises the CI system (e.g., GitHub Actions, Jenkins, GitLab CI) and injects backdoors into every future release.<\/li>\n<\/ul>\n<p>Attackers see your pipeline as the software factory\u2014and they want to control what it produces.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udd12 Core CI\/CD Security Controls<\/h2>\n<h3>1. Enforce Least Privilege Everywhere<\/h3>\n<ul>\n<li>Use scoped CI tokens (e.g., GitHub fine-grained PATs) that can\u2019t modify production environments or write to the repo.<\/li>\n<li>Rotate secrets frequently and store them in secure managers (e.g., AWS Secrets Manager, HashiCorp Vault).<\/li>\n<\/ul>\n<h3>2. Validate Code Integrity<\/h3>\n<ul>\n<li>Require signed commits and protected branches to prevent unauthorized changes.<\/li>\n<li>Use <strong>Sigstore<\/strong>, <strong>GPG<\/strong>, or <strong>SSH<\/strong>-based signing to validate authorship.<\/li>\n<\/ul>\n<h3>3. Harden Your CI Agents<\/h3>\n<ul>\n<li>Run ephemeral runners that self-destruct after builds (e.g., ephemeral GitHub Actions runners or GitLab auto-scaled runners).<\/li>\n<li>Lock down network access to prevent data exfiltration or command-and-control callbacks during builds.<\/li>\n<\/ul>\n<h3>4. Use Policy-as-Code to Control Workflow Behavior<\/h3>\n<ul>\n<li>Tools like <strong>OPA (Open Policy Agent)<\/strong> or <strong>Conftest<\/strong> can enforce security policies on CI jobs (e.g., \u201cno unverified Docker images,\u201d \u201cmust pass SAST scan\u201d).<\/li>\n<\/ul>\n<h3>5. Isolate Build Stages<\/h3>\n<ul>\n<li>Separate test, build, sign, and deploy stages using clean environments or containers to reduce cross-contamination risk.<\/li>\n<li>Sign artifacts in a trusted stage after all code validation completes.<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>\ud83e\uddea Detect Anomalies in the Pipeline<\/h2>\n<p>Instrument your pipeline with logging and alerting:<\/p>\n<ul>\n<li>Audit logs of CI job activity, including job origin, environment variable use, and artifact outputs.<\/li>\n<li>Monitor unusual outbound network traffic from runners (e.g., sudden DNS queries or API calls).<\/li>\n<li>Flag build scripts that include <code>curl<\/code>, <code>wget<\/code>, <code>bash -c<\/code>, or other dynamic behavior.<\/li>\n<\/ul>\n<p>Integrate with your SIEM or XDR platform for visibility into CI\/CD telemetry.<\/p>\n<\/section>\n<section>\n<h2>\u2699\ufe0f Tools That Help Secure Your CI\/CD<\/h2>\n<ul>\n<li><strong>Sigstore:<\/strong> Artifact signing and verification<\/li>\n<li><strong>in-toto:<\/strong> Supply chain metadata tracking (used in SLSA)<\/li>\n<li><strong>SLSA Framework:<\/strong> Defines levels of supply chain integrity, backed by Google and OpenSSF<\/li>\n<li><strong>Trivy:<\/strong> Scans containers and SBOMs during builds<\/li>\n<li><strong>GitHub\u2019s OIDC tokens:<\/strong> Use workload identity to avoid long-lived secrets<\/li>\n<\/ul>\n<p>These tools don\u2019t eliminate risk\u2014but they make compromise much harder and more detectable.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udee1\ufe0f Signed Artifacts and Trusted Releases<\/h2>\n<p>Signing is the final line of defense. Ensure that the artifacts delivered to production are:<\/p>\n<ul>\n<li>Built in a secured pipeline<\/li>\n<li>Signed with a trusted key<\/li>\n<li>Verified before deployment<\/li>\n<\/ul>\n<p>Without signature validation, an attacker can silently inject backdoors into even successful builds.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce3 Final Thought<\/h2>\n<p>CI\/CD pipelines are not just developer tooling\u2014they\u2019re production infrastructure. If attackers can control your build, they control your software. Securing the pipeline requires layered controls, hardened environments, and policy enforcement across every stage of delivery.<\/p>\n<p><strong>Need help hardening your CI\/CD pipeline, securing artifact integrity, or implementing SLSA-level controls?<\/strong> <a href=\"https:\/\/stagefoursecurity.com\/blog\/partner-with-stage-four-security\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s talk<\/a>.<\/p>\n<\/section>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udd17 CI\/CD Supply Chain Security: Guarding the Build Pipeline By James K. Bishop, vCISO | Founder, Stage Four Security \ud83c\udfd7\ufe0f [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[],"class_list":["post-1084","post","type-post","status-publish","format-standard","hentry","category-open-source-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CI\/CD Supply Chain Security - Stage Four Security Blog<\/title>\n<meta name=\"description\" content=\"Secure your CI\/CD pipeline from third-party threats with controls for integrity, secrets management, and trusted build verification.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CI\/CD Supply Chain Security - Stage Four Security Blog\" \/>\n<meta property=\"og:description\" content=\"Secure your CI\/CD pipeline from third-party threats with controls for integrity, secrets management, and trusted build verification.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Stage Four Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-12T05:02:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-12T05:17:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"stagefoursec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"stagefoursec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\"},\"author\":{\"name\":\"stagefoursec\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\"},\"headline\":\"CI\/CD Supply Chain Security\",\"datePublished\":\"2025-05-12T05:02:44+00:00\",\"dateModified\":\"2025-05-12T05:17:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\"},\"wordCount\":591,\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-300x200.png\",\"articleSection\":[\"Open Source Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\",\"name\":\"CI\/CD Supply Chain Security - Stage Four Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-300x200.png\",\"datePublished\":\"2025-05-12T05:02:44+00:00\",\"dateModified\":\"2025-05-12T05:17:17+00:00\",\"description\":\"Secure your CI\/CD pipeline from third-party threats with controls for integrity, secrets management, and trusted build verification.\",\"breadcrumb\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/stagefoursecurity.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CI\/CD Supply Chain Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"name\":\"Stage Four Security Blog\",\"description\":\"Protecting today, fortifying tomorrow\",\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\",\"name\":\"Stage Four Security Blog\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"width\":1000,\"height\":150,\"caption\":\"Stage Four Security Blog\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\",\"name\":\"stagefoursec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"caption\":\"stagefoursec\"},\"sameAs\":[\"https:\/\/stagefoursecurity.com\/blog\"],\"url\":\"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CI\/CD Supply Chain Security - Stage Four Security Blog","description":"Secure your CI\/CD pipeline from third-party threats with controls for integrity, secrets management, and trusted build verification.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/","og_locale":"en_US","og_type":"article","og_title":"CI\/CD Supply Chain Security - Stage Four Security Blog","og_description":"Secure your CI\/CD pipeline from third-party threats with controls for integrity, secrets management, and trusted build verification.","og_url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/","og_site_name":"Stage Four Security Blog","article_published_time":"2025-05-12T05:02:44+00:00","article_modified_time":"2025-05-12T05:17:17+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png","type":"image\/png"}],"author":"stagefoursec","twitter_card":"summary_large_image","twitter_image":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png","twitter_misc":{"Written by":"stagefoursec","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#article","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/"},"author":{"name":"stagefoursec","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde"},"headline":"CI\/CD Supply Chain Security","datePublished":"2025-05-12T05:02:44+00:00","dateModified":"2025-05-12T05:17:17+00:00","mainEntityOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/"},"wordCount":591,"publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-300x200.png","articleSection":["Open Source Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/","url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/","name":"CI\/CD Supply Chain Security - Stage Four Security Blog","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4-300x200.png","datePublished":"2025-05-12T05:02:44+00:00","dateModified":"2025-05-12T05:17:17+00:00","description":"Secure your CI\/CD pipeline from third-party threats with controls for integrity, secrets management, and trusted build verification.","breadcrumb":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#primaryimage","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-4.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/12\/ci-cd-supply-chain-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/stagefoursecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"CI\/CD Supply Chain Security"}]},{"@type":"WebSite","@id":"https:\/\/stagefoursecurity.com\/blog\/#website","url":"https:\/\/stagefoursecurity.com\/blog\/","name":"Stage Four Security Blog","description":"Protecting today, fortifying tomorrow","publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/stagefoursecurity.com\/blog\/#organization","name":"Stage Four Security Blog","url":"https:\/\/stagefoursecurity.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","width":1000,"height":150,"caption":"Stage Four Security Blog"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde","name":"stagefoursec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","caption":"stagefoursec"},"sameAs":["https:\/\/stagefoursecurity.com\/blog"],"url":"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/"}]}},"_links":{"self":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=1084"}],"version-history":[{"count":3,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1084\/revisions"}],"predecessor-version":[{"id":1108,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1084\/revisions\/1108"}],"wp:attachment":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=1084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=1084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=1084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}