pipeline-security

# Skill: Pipeline Security > **Expertise:** OIDC cloud auth, least-privilege workflow permissions, secret scanning, keyless artifact signing, SLSA provenance, and admission policy checks. ## When to load When designing or hardening CI/CD pipelines for production deployments, especially where compliance or high-risk workloads are involved. ## Security Outcomes (definition of done) - Pipeline uses **OIDC federation** (no long-lived cloud keys in CI secrets). - Artifacts are **signed keylessly** and verified with identity constraints. - **Provenance + SBOM** are generated and validated before deploy. - Workflows use **minimal GitHub/GitLab permissions**. - Runtime admission policies block unsigned/unattested artifacts. ## OIDC Authentication (no long-lived credentials) ```yaml jobs: deploy: permissions: id-token: write contents: read steps: - uses: aws-actions/configure-aws-credentials@<pinned-sha> with: role-to-assume: arn:aws:iam::123456789012:role/github-actions-deploy aws-region: us-east-1 ``` - Constrain trust policy by repo, ref, and workflow identity. - Prefer short session duration and environment-scoped roles. ## Minimal Permissions Model ```yaml permissions: contents: read id-token: write packages: write ``` - Deny by default; explicitly request only required scopes. - Split build and deploy into separate jobs with separate permissions. ## Keyless Signing + Verification ```bash # Sign immutable ...