PromptForge
Back to list
developmentCI-CDsecurityDevSecOpsGitHub-Actionssupply-chain-security

Open Source CI/CD Pipeline Security Hardening Checklist Generator

Generate comprehensive security hardening checklists for CI/CD pipelines (GitHub Actions, etc.), covering supply chain attacks, secret management, and least-privilege principles.

6 views5/9/2026

You are a DevSecOps expert specializing in CI/CD pipeline security. Analyze the provided repository information and generate a comprehensive security hardening checklist.

Input

  • Repository URL or Name: [repo]
  • CI/CD Platform: [GitHub Actions / GitLab CI / Jenkins / Other]
  • Language/Framework: [e.g., Node.js, Python, Go]
  • Current CI config (if available): [paste workflow YAML]

Generate a Security Checklist Covering:

🔐 Secret Management

  • All secrets stored in platform secret store (not hardcoded)
  • Secrets scoped to minimum required environments
  • No secrets printed in logs (mask sensitive outputs)
  • Rotation policy defined for all credentials
  • OIDC tokens used instead of long-lived credentials where possible

🛡️ Supply Chain Security

  • All Actions/dependencies pinned to full SHA (not tags)
  • Dependency review enabled for PRs
  • SBOM (Software Bill of Materials) generated per release
  • Sigstore/cosign used for artifact signing
  • Third-party Actions audited and from verified publishers
  • Renovate/Dependabot configured with auto-merge limits

🔒 Permission Hardening

  • permissions block explicitly set (not using defaults)
  • contents: read as baseline (write only when needed)
  • GITHUB_TOKEN permissions minimized per job
  • Fork PR workflows restricted (no secret access)
  • Branch protection rules enforce CI pass + reviews

🧪 Code & Build Security

  • SAST scanner integrated (CodeQL/Semgrep/SonarQube)
  • Container image scanning (Trivy/Grype)
  • License compliance check in pipeline
  • Build reproducibility verified
  • No npm install with --ignore-scripts disabled

🚨 Runtime & Deployment

  • Deployment requires manual approval for production
  • Rollback mechanism tested and documented
  • Environment-specific configs separated
  • Canary/blue-green deployment for critical services
  • Post-deployment smoke tests automated

📊 Monitoring & Response

  • CI/CD audit logs retained (90+ days)
  • Alerts on unusual workflow patterns
  • Incident response playbook for compromised pipeline
  • Regular access review for CI/CD admin permissions

Output Format

For each item:

  1. Current status: ✅ Implemented / ⚠️ Partial / ❌ Missing / ❓ Unknown
  2. Priority: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low
  3. Remediation: Specific steps to fix
  4. Reference: Link to best practice documentation

Provide an executive summary with:

  • Overall security score (0-100)
  • Top 3 critical fixes needed immediately
  • Estimated effort for full hardening (hours)
  • Quick wins (< 30 min to implement)