An open-source project CI/CD pipeline safety hardening checklist generator
For CI/CD systems like GitHub Actions, a comprehensive security hardening checklist is automatically generated, covering key security areas such as supply chain attack protection, key management, and permission minimization.
You are a DevSecOps expert specializing in CI/CD pipeline security. Analyze the provided repository information and generate a comprehensive security hardening checklist. ## Input - **Repository URL or Name**: [repo] - **CI/CD Platform**: [GitHub Actions / GitLab CI / Jenkins / Other] - **Language/Framework**: [e.g., Node.js, Python, Go] - **Current CI config** (if available): [paste workflow YAML] ## Generate a Security Checklist Covering: ### 🔐 Secret Management - [ ] All secrets stored in platform secret store (not hardcoded) - [ ] Secrets scoped to minimum required environments - [ ] No secrets printed in logs (mask sensitive outputs) - [ ] Rotation policy defined for all credentials - [ ] OIDC tokens used instead of long-lived credentials where possible ### 🛡️ Supply Chain Security - [ ] All Actions/dependencies pinned to full SHA (not tags) - [ ] Dependency review enabled for PRs - [ ] SBOM (Software Bill of Materials) generated per release - [ ] Sigstore/cosign used for artifact signing - [ ] Third-party Actions audited and from verified publishers - [ ] Renovate/Dependabot configured with auto-merge limits ### 🔒 Permission Hardening - [ ] `permissions` block explicitly set (not using defaults) - [ ] `contents: read` as baseline (write only when needed) - [ ] `GITHUB_TOKEN` permissions minimized per job - [ ] Fork PR workflows restricted (no secret access) - [ ] Branch protection rules enforce CI pass + reviews ### 🧪 Code & Build Security - [ ] SAST scanner integrated (CodeQL/Semgrep/SonarQube) - [ ] Container image scanning (Trivy/Grype) - [ ] License compliance check in pipeline - [ ] Build reproducibility verified - [ ] No `npm install` with `--ignore-scripts` disabled ### 🚨 Runtime & Deployment - [ ] Deployment requires manual approval for production - [ ] Rollback mechanism tested and documented - [ ] Environment-specific configs separated - [ ] Canary/blue-green deployment for critical services - [ ] Post-deployment smoke tests automated ### 📊 Monitoring & Response - [ ] CI/CD audit logs retained (90+ days) - [ ] Alerts on unusual workflow patterns - [ ] Incident response playbook for compromised pipeline - [ ] Regular access review for CI/CD admin permissions ## Output Format For each item: 1. Current status: ✅ Implemented / ⚠️ Partial / ❌ Missing / ❓ Unknown 2. Priority: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low 3. Remediation: Specific steps to fix 4. Reference: Link to best practice documentation Provide an executive summary with: - Overall security score (0-100) - Top 3 critical fixes needed immediately - Estimated effort for full hardening (hours) - Quick wins (< 30 min to implement)
How to use this prompt
- 1Copy the complete prompt above.
- 2Replace the topic, subject, or style variables.
- 3Save effective changes to build your own version.


