Introduction
As 2024 comes to a close, we've been reflecting on the state of CI/CD security—an area that continues to face growing challenges and opportunities. This year has demonstrated both the critical importance of securing CI/CD pipelines and the devastating impact when they're compromised. Let's explore the key developments in CI/CD security this year and what we expect for 2025.
StepSecurity's Impact in 2024
Growth and Adoption
Our mission to secure CI/CD pipelines gained significant traction:
- 5X’ed our ARR, a testament to the trust our customers placed in us.
- Grew the adoption of Harden Runner from 2K to 5K open-source repositories, reflecting its value to developers worldwide.
- Expanded our team from 4 to 11 full-time members, bringing in exceptional talent to strengthen our mission.
Enterprise Success Stories
Our enterprise case studies demonstrate real-world impact and adoption of the StepSecurity enterprise tier. Stay tuned for more such case studies in Q1 of 2025.
How Coveo Strengthened GitHub Actions Security with StepSecurity
Coveo enhanced the security of their GitHub Actions workflows by integrating StepSecurity, gaining deep observability and automated protection against potential threats. StepSecurity enabled Coveo to improve their detection of security misconfigurations, monitor outbound traffic, and assess third-party Actions' security posture through automated scoring and dynamic analysis. Read the full case study here.
Hashgraph Achieves Comprehensive CI/CD Security Without Compromising Development Speed
By implementing StepSecurity platform, Hashgraph has significantly enhanced the security of their GitHub Actions environment. From securing self-hosted runners to safeguarding against risks of third-party GitHub Actions, StepSecurity has provided comprehensive protection across the entire CI/CD pipeline. Read the full case study here.
Detected CI/CD Supply Chain Attacks
We detected two significant CI/CD supply chain attacks in open-source projects that were using the StepSecurity Community Tier:
StepSecurity Detects CI/CD Supply Chain Attack in Microsoft’s Open-Source Project Azure Karpenter Provider
An independent security researcher, on August 31st, 2024, demonstrated a successful supply chain attack on Azure Karpenter Provider, an open-source project maintained by Microsoft. As Azure Karpenter Provider had been using StepSecurity Harden-Runner, this attack was detected in real time. StepSecurity reported the detection within an hour of it being exploited to the Microsoft Security Response Center (MSRC). We are proud to share that StepSecurity has been acknowledged in the MSRC acknowledgment portal for detecting and reporting this issue. Read the full case study here.
StepSecurity Detects CI/CD Supply Chain Attack in Google’s Open-Source Project Flank in Real-Time
An independent security researcher recently demonstrated a successful supply chain attack on Flank, an open-source project maintained by Google. As Flank had been using StepSecurity Harden-Runner, this attack was detected in real-time, even though the researcher tried to circumvent Harden-Runner's defenses by crafting an innovative exploit. Read the full case study here.
Major CI/CD Security Incidents in 2024
XZ Utils Compromise
The XZ Utils supply chain security incident sent shockwaves through the industry. As per the CVE-2024-3094, the build process extracts a disguised test file existing in the source code, which is then used to maliciously modify specific functions in the liblzma code to inject the backdoor.
We analyzed the XZ Utils build process using StepSecurity Harden-Runner and observed the injection of the backdoor. Check out the full analysis of XZ Utils build process in this blog post.
Ultralytics Security Incident
Ultralytics, known for its powerful YOLO models widely used in industries like healthcare, transportation, and agriculture, recently faced a significant compromise in its repository through CI/CD vulnerabilities. This blog post explores how GitHub Actions were exploited to inject a cryptominer, steal sensitive secrets, and poison build caches. We focus on the CI/CD attack vector and demonstrate how StepSecurity Harden-Runner could have detected and mitigated the incident.
Looking Ahead: 2025 Predictions
1. Attacks on CI/CD Pipelines Will Evolve
Threat actors are becoming increasingly sophisticated in their attempts to compromise CI/CD pipelines. In 2025, we anticipate a rise in the number of CI/CD security incidents as attackers continue to exploit vulnerabilities in build processes, pipelines, and dependencies. As these attacks evolve, organizations will face growing pressure to secure their CI/CD workflows proactively.
2. Increased Awareness and Training
As CI/CD pipelines become critical components of modern software delivery, security awareness among developers will take center stage. However, many developers remain unaware of the unique risks associated with CI/CD workflows, such as supply chain attacks or credential exposure. In 2025, organizations will increasingly invest in developer training and education, equipping teams with the skills needed to identify and mitigate these risks. Security training tailored to CI/CD workflows will become a cornerstone of proactive defense strategies, empowering developers to build more secure software from the ground up.
3. Security Embedded in Workflows
We foresee developers increasingly adopting CI/CD security solutions that integrate seamlessly into the development process. At StepSecurity, we’re advancing this vision by introducing GitHub Checks for Harden Runner. These checks will automatically fail if the Harden Runner baseline—a critical set of network and process behaviors—changes unexpectedly, helping developers detect and respond to anomalous activity in real time. This shift toward embedded security will make protecting CI/CD pipelines more intuitive and efficient for developers worldwide.
Conclusion
As we enter 2025, the landscape of CI/CD security continues to evolve rapidly. Organizations must stay vigilant and proactive in protecting their CI/CD pipelines. At StepSecurity, we're committed to leading this charge with innovative solutions and comprehensive security approaches.
Want to learn more about securing your CI/CD pipeline? Start a free trial!
