The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this cybersecurity information sheet (CSI) to provide recommendations and best practices for improving defenses in cloud implementations of development, security, and operations (DevSecOps). This CSI explains how to integrate security best practices into typical software development and operations (DevOps) Continuous Integration/Continuous Delivery (CI/CD) environments, without regard for the specific tools being adapted, and leverages several forms of government guidance to collect and present proper security and privacy controls to harden CI/CD cloud deployments. As evidenced by increasing compromises over time, software supply chains and CI/CD environments are attractive targets for malicious cyber actors (MCAs). Figure 1 provides a high-level representation of threats to various parts of the CI/CD pipeline.
