SearchExplore Guides
HomeGuidesInfrastructureSecurityAutomationNewsToolsAboutSearch
Explore Guides
All NewsSecurity

Securing CI/CD for an open source project, part 3: Credentials, verification, and what’s next

Learn how to enhance your CI/CD pipeline security with Cilium's latest practices for credential protection and image signing.

06 / 26 / 2026Source: Security
Test ingest layout blocks
Feature image

News

What happened

Cilium has finalized its series on hardening CI/CD pipelines by focusing on credential protection and image signing. These enhancements are crucial for ensuring that your deployments remain secure against potential compromises.

In the latest post on securing CI/CD for open source projects, Cilium details its strategies for protecting credentials and ensuring the integrity of container images. By isolating CI and production credentials and implementing signing with Sigstore Cosign, Cilium minimizes the risk of unauthorized access and malicious code injection. This final installment emphasizes the importance of maintaining a secure pipeline and outlines ongoing efforts to address existing gaps in their security posture.

Release at a glance

Key facts from the announcement.

Product

Cilium

Signing Tool

Sigstore Cosign

SBOM Action Version

v0.24.0

Cosign Installer Version

v4.1.1

Changes at a glance

What's new

Cilium has introduced a robust credential isolation strategy, ensuring that CI credentials cannot access production environments. Additionally, all released container images are now signed and attested using automated processes, enhancing the security of your deployments.

The implementation of tag immutability and DCO sign-off enforcement adds further layers of security, preventing unauthorized modifications to releases and ensuring that all contributions are properly vetted.

Breaking changes

No breaking changes were reported in the source material.

Analysis

In detail

Cilium has established strong defaults for GitHub tokens, limiting their permissions to only what's necessary. This means that workflows requiring additional permissions must explicitly opt in, reducing the risk of broad access in case of a compromise. CI credentials are kept separate from production credentials, which are only accessible through approved workflows, ensuring that even if a CI workflow is compromised, production secrets remain protected.

Every container image released by Cilium is signed using Sigstore Cosign with keyless OIDC, eliminating the risk of long-lived signing keys being stolen. The signing process is automated through a reusable composite action, which also generates a Software Bill of Materials (SBOM) for each image. This process runs in protected environments, further safeguarding production credentials and ensuring that only approved release builds can access them.

Cilium's security team actively audits and rotates credentials and permissions, monitors security issues, and proposes mitigations. They are also addressing gaps identified in their security practices, such as the lack of SLSA provenance and dependency review at pull request time, which could help catch vulnerabilities before they are merged into the codebase.

Key takeaways

The most important facts from this update.

You can now isolate CI and production credentials, preventing unauthorized access in case of a CI compromise.
You must ensure that your workflows explicitly declare permissions to avoid broad access.
Every container image you release will be signed with Sigstore Cosign, enhancing security.
You can generate SBOMs for your images automatically during the release process.
You should implement tag immutability to prevent modifications to published releases.
You must enforce DCO sign-off for all commits to maintain code integrity.
You will need to address identified gaps, such as enabling SLSA provenance and running dependency reviews.

Why it matters

These enhancements are critical for maintaining the integrity and security of your self-hosted applications. By adopting similar practices, you can significantly reduce the risk of vulnerabilities and ensure that your CI/CD pipeline is resilient against attacks.

Homelab impact

By implementing Cilium's credential isolation strategies, you can protect your production environments from potential CI compromises. This means that even if an attacker gains access to your CI workflows, they will not be able to affect your production deployments.

The automated signing and attestation of container images will help you maintain a secure supply chain, ensuring that only verified images are deployed in your homelab. As you adopt these practices, consider reviewing your existing workflows and security measures to align with these best practices.

MANAGED ALTERNATIVE

Prefer Not to Self-Host Your Passwords?

Self-hosting Vaultwarden gives you full control — but it also gives you full responsibility. If you want the same zero-knowledge security model without the operational overhead, Proton Pass is the managed option we'd recommend.

Try Proton Pass

This is an affiliate link. If you purchase, I earn a commission at no extra cost to you.

What to do next

Practical steps for operators running self-hosted stacks.

Review your current CI/CD workflows to ensure they declare permissions explicitly.
Implement credential isolation strategies similar to Cilium's in your own pipelines.
Adopt automated signing and SBOM generation for your container images.
Enforce DCO sign-off for all commits in your repositories.
Address identified security gaps in your processes, such as enabling SLSA provenance.

This brief covers what you need from CNCF Blog's reporting. Visit the original post for release notes, changelogs, and full technical documentation.

Read on CNCF Blog
Self HostingSecurityInfrastructureArchitecture