Titulo Estágio
Evaluating the security CI server in the presence of a poisoned pipeline
Local do Estágio
Coimbra
Enquadramento
Efficient rapid deployment cycles are essential in modern software development practices [1]. Most software development teams rely on Continuous Integration (CI) practices, in which the source code is frequently pushed to a central source code repository, and it triggers actions to start building the software, and running automated tests if they are available. For mature teams, the source code can also be released to a production environment [2] either manually (CDE – Continuous Delivery) or automatically (CD – Continuous Deployment).
The CI practices are usually supported by CI server tools, such Jenkins, GitHub Actions, GitLab CI, Atlassian Bamboo, Azure DevOps, among others. However, these tools can also have security issues, allowing the poisoned pipelines execution (PPE) [3]. PPE refers to the ability to run poisoned actions through the execution of the build pipeline. In the DevSecOps SDLC (Software Development Lifecycle), where the development, security and operations teams work together, usually security checks such as Software vulnerability detection (SVD) tools (e.g. static code analysis tools and penetration testing tools) are implemented. However, they usually do not have the ability to identify PPEs.
The main objective of this research is to understand if CI servers have the ability to identify PPE and stop an attack to happen. Also, a comparison of different CI servers should be performed to understand how each one handles PPEs. To do that, a thorough study of the main CI servers should be done, including their known vulnerabilities and the main attack mechanisms in cloud environments. An attack load should be created to evaluate the CI server security as part of IaC (Infrastructure as a code) deployment. To do that, build pipelines should be configured in CI servers, and such pipelines should be poisoned. The final goal of such attack loads should be to gain access to the CI server environment.
Objetivo
The primary learning objectives of this research are as follows:
• Understand the complete SDLC of rapid deployment cycles.
• Acquire hands-on experience in configuring build/deployment pipelines in the context of DevSecOps.
• Gain practical knowledge about ethical hacking with the goal to evaluate the security of CI servers.
• Compare and benchmark the several CI Servers (e.g., GitLab CI/CD, Azure DevOps, Jenkins, GitHub Actions).
The long-term research objective linked to this project is to evaluate the security of CI servers as a supporting tool part of the DevSecOps SDLC.
Plano de Trabalhos - Semestre 1
T1. [09/09/2025 to 15/10/2025] Literature Review
During this initial phase, an extensive literature review will be conducted to understand the state of the art regarding the security mechanism present in the CI servers
T2. [16/10/2025 to 31/10/2025] Tool Setup and Preliminary Evaluation
Select the available CI servers and IaC mechanisms that can be configured as part of the build/deployment pipeline.
T3. [01/12/2025 to 10/01/2026] Write the intermediate report
Plano de Trabalhos - Semestre 2
T4. [11/01/2026 to 31/01/2026] Evaluate the CI servers ability to stop the execution of PPE
Details metrics to be used as part of the attack load in a PPE.
T5. [01/02/2025 to 30/04/2025] Create an attack load to be used in several CI servers
Such attack load should contain attacks of different types. Other mechanisms of SVD should be evaluated to check their ability to identify PPEs
T6. [01/05/2025 to 31/05/2025] Write a technical paper
Write a paper to submit to a journal/conference reporting the main finding of this research.
T7. [01/06/2025 to 30/06/2025] Report and Documentation
The final phase will involve documenting the research findings, methodologies, and results. A comprehensive report summarizing the research outcomes, including the developed artifacts, will be prepared.
Condições
- You will have a position in the SSE Laprie Lab
- Proposal in the scope of the CSLab (Cybersecurity Laboratory)
- Computational infrastructure will be provided to work
Observações
Recommended Bibliography:
[1] Roshan N. Rajapakse, Mansooreh Zahedi, M. Ali Babar, Haifeng Shen, Challenges and solutions when adopting DevSecOps: A systematic review, Information and Software Technology, Volume 141, 2022, 106700, ISSN 0950-5849, https://doi.org/10.1016/j.infsof.2021.106700.
[2] “Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation”, Jez Humble, David Farley Addison-Wesley Signature Series (Fowler), 2010, ISBN-13: 978-0321601919
[3] Daniel Krivelevich, Omer Gil, “OWASP Top 10 CI/CD Security Risks”, https://owasp.org/www-project-top-10-ci-cd-security-risks/
Orientador
José Alexandre D'Abruzzo Pereira
josep@dei.uc.pt 📩