Skip to main content
banner image
venafi logo

Automate Policy Checks for Your CI/CD: OpenCredo Secure Software Pipeline Verifier

Automate Policy Checks for Your CI/CD: OpenCredo Secure Software Pipeline Verifier

September 19, 2022 | Robyn Weisman

In the first part of our interview with OpenCredo, I discussed Venafi-Vault Wizard with Trent Rosenbaum, lead consultant at OpenCredo, and how this plugin simplifies developers’ ability to access machine identities from HashiCorp Vault directly through Venafi, while improving visibility of these identities for InfoSec teams.

In this post, I discuss Secure Software Pipeline Verifier, OpenCredo’s other new solution, in a conversation with Hieu Doan, DevOps consultant at OpenCredo. Secure Software Pipeline Verifier is a utility that automates secure control policy checks across GitHub and GitLab repositories through policy-as-code. It currently focuses on the first four controls described in the Secure Software Pipeline Blueprint that Venafi and Veracode authored with contributions and support from Sophos and CloudBees, which are:

  • Restrict administrative access to CI/CD (Continuous Integration/Continuous Development)
  • Only accept commits signed with a developer GPG key
  • Automation access controls expire automatically
  • Reduce automation access to read-only
Hundreds of partners. Thousands of proven integrations. Endless possibilities. Find yours now.
Secure Software Pipeline Verifier
Robyn: What are some of the primary challenges most organizations face in securing the software development pipeline?

Hieu: Everybody is building software. All businesses are software organizations now, and whether they are using software internally or exposing it to their customers, you need to be sure that the pipeline to build that software is secure and the users can trust what’s been published. The bad news is there isn’t an easy way to get visibility into the entire signing process and set up notifications that can be configured to alert administrators when there are divergences from patterns or malicious activity, let alone the ability to block them.

Q: What does Secure Software Pipeline Verifier do to help alleviate the problem?

Hieu: Secure Software Pipeline Verifier is a tool that helps warn when any of the first four controls of the Blueprint have been compromised within the CI/CD pipeline. It can be configured to send alerts to InfoSec teams whenever this happens.

We based the tool specifically on the Venafi Blueprint because the Blueprint offers the clearest delineation of what needs to happen to secure software supply chains. It understands that ultimately, everything is based on trust. If a piece of code uses dependencies and that data dependency is somehow tampered with, how do we trust the vendor if the vendor has no way of maintaining that trust? There must be a way to warn us that a dependency is compromised.

I feel like every organization needs to implement a standard that can prevent tampering of their dependencies because their dependency might be using other dependencies.

Q: Can you give an example of how Secure Software Pipeline Verifier works?

Hieu: In Control 1, we focus on GitHub and GitLab because they’re the most popular repositories. Let’s say a user tries to make changes to a CI/CD config file within a GitHub workflow. Secure Software Pipeline Verifier is immediately triggered. It checks whether the user is allowed to modify the config by not only checking whether the username is in that file, but also it checks against the database where the user is listed. If the user is in the database, the tool doesn’t send an alert because it knows that the user is authorized to modify that file.

In Control 2, we check to make sure the comments are signed, so we check the authorship of the comments to ensure they’re valid. In Control 3, we check whether the key is expired, and by default, the tool sends an alert if the key is older than one month. Then, in Control 4, we check to make sure the deployment key is read-only.

Q: Why are these first four controls so important?

Hieu: Those first four controls are quite intimate to a developer’s initial engagement on a project. And we wanted to make sure our tool didn’t inadvertently block developers from doing their jobs, yet provide that baseline security the organization needs. And we felt that with our tool we could address these controls without impacting speed of development. We stay out of the way of developers, letting them continue to use their normal processes, while at the same time, warning when anything happens that doesn’t conform to enterprise security policy.

This is important because we want it to be easy to set up and implement—because we need everyone to accept and appreciate it in order to adopt it. We want all stakeholders to see Secure Software Pipeline Verifier as an asset not a hindrance.

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Ecosystem is evolving above and beyond just technical integrations.

Related posts

Like this blog? We think you will love this.
Featured Blog

Cloud Native Machine Identity Management for Zero Trust

Richard: Tell us about Pomerium and the role machine ide

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more