YouShallNotPass! Hardening CI/CD pipelines on mission critical environments

n this presentation, we will explore the issue of securing CI/CD pipelines targeting mission-critical systems.

We'll begin by providing an overview and the benefits of CI/CD pipelines, before delving into the specifics of GitLab's CI/CD capabilities, including the role of \"Runners\" in executing jobs and pipelines.

Given the increasing number of security risks associated with CI/CD pipelines and the threat actors trying to exploit them, a MITRE ATT&CK style matrix will be used to highlight these risks and underscore the importance of proper security measures.

Next, the concept of a custom Runner executor will be introduced and its potential in enhancing pipeline security will be discussed. We will describe our own implementation of a custom executor “YouShallNotPass”, outlining the tools and technologies we used to ensure that only trusted images and users can run code in the repository.

Finally, several use-cases will be provided to demonstrate how the custom executor can be deployed in diverse environments to boost pipeline security.

In conclusion, our presentation will emphasize the benefits of utilizing CI/CD platforms to deploy configuration or code on critical systems, the potential security risks associated with them, and our solution by implementing a custom executor to improve their overall security.