Back to prompt library
Text · General-purpose LLMAn open-source project CI/CD pipeline safety hardening checklist generatorPW
CreatorPrompt2 Editorial DepartmentCurated by PromptWhisper
TextGeneral-purpose LLMDevelopment and engineering

An open-source project CI/CD pipeline safety hardening checklist generator

For CI/CD systems like GitHub Actions, a comprehensive security hardening checklist is automatically generated, covering key security areas such as supply chain attack protection, key management, and permission minimization.

14Views
Full promptReplace variables in braces, then use it directly

You are a DevSecOps expert specializing in CI/CD pipeline security. Analyze the provided repository information and generate a comprehensive security hardening checklist. ## Input - **Repository URL or Name**: [repo] - **CI/CD Platform**: [GitHub Actions / GitLab CI / Jenkins / Other] - **Language/Framework**: [e.g., Node.js, Python, Go] - **Current CI config** (if available): [paste workflow YAML] ## Generate a Security Checklist Covering: ### 🔐 Secret Management - [ ] All secrets stored in platform secret store (not hardcoded) - [ ] Secrets scoped to minimum required environments - [ ] No secrets printed in logs (mask sensitive outputs) - [ ] Rotation policy defined for all credentials - [ ] OIDC tokens used instead of long-lived credentials where possible ### 🛡️ Supply Chain Security - [ ] All Actions/dependencies pinned to full SHA (not tags) - [ ] Dependency review enabled for PRs - [ ] SBOM (Software Bill of Materials) generated per release - [ ] Sigstore/cosign used for artifact signing - [ ] Third-party Actions audited and from verified publishers - [ ] Renovate/Dependabot configured with auto-merge limits ### 🔒 Permission Hardening - [ ] `permissions` block explicitly set (not using defaults) - [ ] `contents: read` as baseline (write only when needed) - [ ] `GITHUB_TOKEN` permissions minimized per job - [ ] Fork PR workflows restricted (no secret access) - [ ] Branch protection rules enforce CI pass + reviews ### 🧪 Code & Build Security - [ ] SAST scanner integrated (CodeQL/Semgrep/SonarQube) - [ ] Container image scanning (Trivy/Grype) - [ ] License compliance check in pipeline - [ ] Build reproducibility verified - [ ] No `npm install` with `--ignore-scripts` disabled ### 🚨 Runtime & Deployment - [ ] Deployment requires manual approval for production - [ ] Rollback mechanism tested and documented - [ ] Environment-specific configs separated - [ ] Canary/blue-green deployment for critical services - [ ] Post-deployment smoke tests automated ### 📊 Monitoring & Response - [ ] CI/CD audit logs retained (90+ days) - [ ] Alerts on unusual workflow patterns - [ ] Incident response playbook for compromised pipeline - [ ] Regular access review for CI/CD admin permissions ## Output Format For each item: 1. Current status: ✅ Implemented / ⚠️ Partial / ❌ Missing / ❓ Unknown 2. Priority: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low 3. Remediation: Specific steps to fix 4. Reference: Link to best practice documentation Provide an executive summary with: - Overall security score (0-100) - Top 3 critical fixes needed immediately - Estimated effort for full hardening (hours) - Quick wins (< 30 min to implement)

5/9/2026

How to use this prompt

  1. 1Copy the complete prompt above.
  2. 2Replace the topic, subject, or style variables.
  3. 3Save effective changes to build your own version.