Owasp Cicd
Map pipeline and release risks to the OWASP CI/CD Top 10 (2025) IDs when hardening GitHub Actions, Azure DevOps, or other CI/CD before you ship.
Overview
OWASP CI/CD is an agent skill most often used in Ship (also Operate) that indexes the ten OWASP CI/CD Security Risks (2025) identifiers and categories for pipeline threat modeling and reviews.
Install
npx skills add https://github.com/microsoft/hve-core --skill owasp-cicdWhat is this skill?
- Catalog of 10 OWASP CI/CD risks for 2025 (CICD-SEC-1:2025 through CICD-SEC-10:2025)
- Each ID maps to a category: flow control, supply chain, pipeline execution, PBAC, credentials, and more
- Cross-reference index for vulnerability identifiers and titles in agent-assisted security reviews
- Covers poisoned pipeline execution, dependency chain abuse, and artifact integrity validation
- Logging and visibility gap called out as CICD-SEC-10:2025
- 10 OWASP CI/CD security risks indexed for 2025
- Identifiers CICD-SEC-1:2025 through CICD-SEC-10:2025
Adoption & trust: 28 installs on skills.sh; 1.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are tightening CI/CD but lack a standard list of pipeline-specific risks and IDs to track fixes and agent-generated findings.
Who is it for?
Solo builders documenting CI/CD threat models, release checklists, or agent prompts tied to OWASP CI/CD 2025 before enabling auto-deploy.
Skip if: Teams that need step-by-step remediation playbooks for a specific cloud vendor without reading separate hardening skills or runbooks.
When should I use this skill?
You need OWASP CI/CD Top 10 (2025) vulnerability IDs, titles, or categories for pipeline security discussions or documentation.
What do I get? / Deliverables
You classify pipeline weaknesses against CICD-SEC-1:2025–CICD-SEC-10:2025 categories so remediation and docs stay aligned with OWASP CI/CD guidance.
- Threat ID ↔ category mapping for pipeline reviews
- Structured vocabulary for agent security prompts
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship → Security because the index names CI/CD pipeline threats you fix in pre-release hardening and release gates. Security subphase is where solo builders align controls (IAM, artifacts, logging) to a standard checklist before production deploys.
Where it fits
Tag an agent-produced pipeline review with CICD-SEC-4:2025 poisoned pipeline execution before merging workflow changes.
Verify release gates cover CICD-SEC-9:2025 artifact integrity validation before promoting builds to production.
After rotating secrets, cross-check hygiene gaps against CICD-SEC-6:2025 insufficient credential hygiene.
When adding a third-party CI plugin, cite CICD-SEC-8:2025 ungoverned usage of third-party services in the PR description.
How it compares
Use as a taxonomy index during reviews, not as a runnable scanner or MCP integration.
Common Questions / FAQ
Who is owasp-cicd for?
Indie and solo developers who run GitHub Actions, Azure Pipelines, or similar CI/CD and want OWASP-aligned language when agents help with security planning.
When should I use owasp-cicd?
During Ship security and launch prep when defining pipeline controls, and in Operate when revisiting logging, credentials, or third-party service governance after incidents.
Is owasp-cicd safe to install?
It is reference content only; review the Security Audits panel on this Prism page and treat any linked repo updates like any third-party skill source.
SKILL.md
READMESKILL.md - Owasp Cicd
# 00 Vulnerability Index This document provides the index for the OWASP CI/CD Security Top 10 vulnerabilities. Each entry includes its identifier, title, and primary category. ## Vulnerability catalog | ID | Title | Category | |------------------|-------------------------------------------|--------------------------| | CICD-SEC-1:2025 | Insufficient Flow Control Mechanisms | Flow Control | | CICD-SEC-2:2025 | Inadequate Identity and Access Management | Identity Management | | CICD-SEC-3:2025 | Dependency Chain Abuse | Supply Chain | | CICD-SEC-4:2025 | Poisoned Pipeline Execution | Pipeline Security | | CICD-SEC-5:2025 | Insufficient PBAC | Access Controls | | CICD-SEC-6:2025 | Insufficient Credential Hygiene | Credential Management | | CICD-SEC-7:2025 | Insecure System Configuration | Configuration Management | | CICD-SEC-8:2025 | Ungoverned Usage of 3rd Party Services | Third-Party Governance | | CICD-SEC-9:2025 | Improper Artifact Integrity Validation | Artifact Integrity | | CICD-SEC-10:2025 | Insufficient Logging and Visibility | Logging and Visibility | ## Cross-reference matrix Each vulnerability document follows a consistent structure: 1. Description — what the vulnerability is and how it manifests in CI/CD environments. 2. Risk — concrete consequences of exploitation and business impact. 3. Vulnerability checklist — indicators that the environment is exposed. 4. Prevention controls — defensive measures and rectification steps. 5. Example attack scenarios — realistic exploitation narratives. 6. Detection guidance — signals and methods to identify exposure. 7. Remediation — immediate and long-term actions to contain and resolve. ## Category groupings ### Flow Control * CICD-SEC-1:2025 Insufficient Flow Control Mechanisms ### Identity Management * CICD-SEC-2:2025 Inadequate Identity and Access Management ### Supply Chain * CICD-SEC-3:2025 Dependency Chain Abuse ### Pipeline Security * CICD-SEC-4:2025 Poisoned Pipeline Execution ### Access Controls * CICD-SEC-5:2025 Insufficient PBAC ### Credential Management * CICD-SEC-6:2025 Insufficient Credential Hygiene ### Configuration Management * CICD-SEC-7:2025 Insecure System Configuration ### Third-Party Governance * CICD-SEC-8:2025 Ungoverned Usage of 3rd Party Services ### Artifact Integrity * CICD-SEC-9:2025 Improper Artifact Integrity Validation ### Logging and Visibility * CICD-SEC-10:2025 Insufficient Logging and Visibility --- *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* --- title: 'CICD-SEC-1: Insufficient Flow Control Mechanisms' description: OWASP CI/CD Top 10 reference for insufficient flow control vulnerabilities including unauthorized code changes and deployment bypass --- # 01 Insufficient Flow Control Mechanisms Identifier: CICD-SEC-1:2025 Category: Flow Control ## Description Insufficient flow control mechanisms refer to the ability of an attacker that has obtained permissions to a system within the CI/CD process (SCM, CI, artifact repository) to single-handedly push malicious code or artifacts down the pipeline, due to a lack of mechanisms that enforce additional approval or review. CI/CD flows are designed for speed. New code can be created on a developer's machine and reach production within minutes, often with full reliance on automation and minimal human involvement. Since CI/CD processes are the highway to highly gated and secured production environments, organizations must introduce measures and controls to ensure that no