https://www.aquasec.com/tag/ci-cd/ Cloud Native Security, Container Security & Serverless Security Mon, 15 Jul 2024 11:03:47 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 https://www.aquasec.com/blog/250m-artifacts-exposed-via-misconfigured-registries/ Mon, 24 Apr 2023 08:58:28 +0000 https://www.aquasec.com/?p=14418 What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in …]]> https://www.aquasec.com/blog/jenkins-server-vulnerabilities/ Wed, 08 Mar 2023 13:59:33 +0000 https://www.aquasec.com/?p=14439 Aqua Nautilus researchers have discovered a chain of critical vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim’s Jenkins server, potentially leading to a complete compromise of the Jenkins server. Furthermore, these vulnerabilities could be exploited …]]> https://www.aquasec.com/blog/kubernetes-benchmark-scans-trivy-cis-nsa-reports/ Tue, 31 Jan 2023 18:11:13 +0000 https://www.aquasec.com/?p=14486 One of Trivy’s core features is Trivy Kubernetes for in-cluster security scans of running workloads. This tutorial will showcase how to generate CIS and NSA reports both through the Trivy CLI and the Trivy Operator. Additionally, we will look at how users can add the Kubernetes Specification for their own Compliance Report format to expand …]]> https://www.aquasec.com/blog/supply-chain-security-shifting-left-to-the-golden-pipeline/ Wed, 11 Jan 2023 11:00:00 +0000 https://www.aquasec.com/?p=14493 According to an article in Security Magazine, 98% of organizations have been negatively impacted by a cybersecurity breach in their supply chain. Aqua’s 2021 Software Supply Chain Security Review notes that “attackers focused heavily on open source vulnerabilities and poisoning, code integrity issues, exploiting the software supply chain process and supplier trust to distribute malware …]]> https://www.aquasec.com/blog/trivy-github-actions-security-cicd-pipeline/ Thu, 10 Feb 2022 12:20:18 +0000 https://www.aquasec.com/?p=14968 One of the advantages of automated CI/CD pipelines is that they’re a great place to implement regular security controls and checks. Using GitHub Actions, it’s easy to improve the security of your containers by automating vulnerability scanning and digital signing of container images on a regular basis. In this post, we’ll go over how to …]]> https://www.aquasec.com/blog/ci-cd-pipeline-security-tracee-github-action/ Wed, 09 Jun 2021 14:20:00 +0000 https://www.aquasec.com/?p=15231 In my previous post, I covered how you can secure your CI/CD pipeline with Tracee from potentially malicious code executions. We’re now releasing Tracee GitHub Action, which makes using Tracee a plug-n-play experience and doesn’t require any prior knowledge of eBPF or Docker. We’re also introducing a new capability to profile the normal behavior of …]]> https://www.aquasec.com/blog/vulnerability-management-lifecycle/ Thu, 13 May 2021 10:03:53 +0000 https://www.aquasec.com/?p=15262 When it comes to containerized workloads, resolving the underlying image’s security vulnerabilities is paramount to ensuring the safety of your environment. Getting security risk information into the hands of developers quickly and efficiently is key to keeping development cycles as short as possible while maintaining a strong application security posture. What risk information can you …]]> https://www.aquasec.com/blog/cicd-pipeline-security-tool-tracee/ Wed, 12 May 2021 09:04:28 +0000 https://www.aquasec.com/?p=15268 With the growing popularity of CI platforms to build software, bad actors are increasingly looking to exploit these environments to target organizations. In our post about the recent Codecov breach, we explored how an attacker was able to get access to credentials from within the CI/CD pipeline. To prevent this from happening, you need to …]]> https://www.aquasec.com/blog/container-security-alert-campaign-abusing-github-dockerhub-travis-ci-circle-ci/ Fri, 11 Sep 2020 11:01:38 +0000 https://www.aquasec.com/?p=15500 Aqua’s Team Nautilus detected an impressive campaign that set out to hijack resources to enable cryptocurrency mining. This operation focused on several SaaS software development environments, including Docker Hub, GitHub, Travis CI, and Circle CI, by abusing their automated build processes. Fortunately, our research efforts occasionally include scanning images on Docker Hub using Aqua Dynamic …]]> https://www.aquasec.com/blog/cloud-native-security-best-practices-devops-security/ Wed, 22 Jan 2020 13:17:09 +0000 https://www.aquasec.com/?p=15654 With the continual leftward shifting movement of traditional DevOps responsibilities, organizations can now detect security issues earlier in the software development lifecycle (SDLC). Using CI/CD tools such as Jenkins, GoCD, or Bamboo, organizations can continually develop, test, and ship applications. As containers are becoming the architecture of choice for cloud native applications development, developers are …]]>