CICD01 CI/CD Security Gates Missing
What this means
SiteShadow flagged CI/CD pipelines where security gates are missing, disabled, or easily bypassed (tests not required, scans optional, approvals missing, artifacts unsigned/untracked).
Why it matters
Disabling gates increases the chance of shipping vulnerable code.
- Vulnerabilities ship silently because nothing blocks the merge/release.
- Supply-chain risk: compromised CI can inject malicious code into releases.
- Regressions become normal when checks are "optional."
Safer examples
1) Require checks before merge
- Required CI status checks on protected branches
- Required reviews for sensitive areas (CODEOWNERS)
2) Add basic security scanning
- Dependency scanning + lockfile enforcement
- Secret scanning
- Container/image scanning for deployables
3) Control who can release
Restrict deploy credentials, use ephemeral CI tokens, and log release actions.
How SiteShadow detects it (high level)
- Flags repo/pipeline patterns that indicate missing required checks or disabled gates.
- Highlights "bypass" configurations where security checks exist but are not enforced.
References
- OWASP Top 10: https://owasp.org/Top10/
---