How do you secure the CI/CD pipeline itself?
Short answer
Treat the pipeline as production infrastructure: it holds the credentials to ship code and reach prod, so compromising it bypasses every downstream control. Harden it with isolated, ephemeral runners; least-privilege, short-lived tokens (OIDC federation instead of long-lived secrets); protected branches and reviewed pipeline config; pinned third-party actions by digest; and full audit logging. The pipeline is a top-tier target, not plumbing.
A CI/CD pipeline holds the keys to the kingdom: it can read all your source, build and sign artifacts, and deploy to production. If an attacker owns the pipeline, every scanner and gate downstream is moot. So you defend it like production.
Isolate and ephemeral-ize the runners
Build runners execute arbitrary code — including, on public repos, code from untrusted pull requests. Use ephemeral runners that are destroyed after each job so nothing persists between builds, and isolate them from your internal network and from each other. Never run untrusted PR builds with privileged credentials.
Least-privilege, short-lived credentials
The biggest win is killing long-lived secrets. Instead of storing a permanent cloud key in CI, use OIDC federation: the pipeline presents a short-lived, workload-scoped token that the cloud provider exchanges for temporary credentials. Tokens should be scoped narrowly (this job, these resources, read vs write) and expire fast, so a leaked token is nearly worthless.
Protect the pipeline definition
Pipeline config is code with production access. Put it under protected branches with required review, so no one can quietly add a step that exfiltrates secrets. Pin third-party actions/plugins to a commit digest (not a mutable tag) — an unpinned action can be repointed to malicious code that runs with your pipeline's permissions. This is exactly how real supply-chain incidents have unfolded.
Audit everything
Log who triggered what, which credentials were used, and what was deployed. You can't detect or investigate pipeline abuse you didn't record.
What interviewers look for
They want you to frame the pipeline as a top-tier target, lead with OIDC and least privilege over stored secrets, and mention ephemeral runners and pinned dependencies — the controls behind recent real-world CI/CD compromises.
Likely follow-ups
- Why prefer OIDC federation over storing long-lived cloud keys in CI?
- What's the risk of an unpinned third-party CI action?
- How can a malicious pull request abuse a poorly configured runner?