Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Think EDR, but for CI/CD Pipelines.
Open-source eBPF-powered runtime security sensor for GitHub Actions and GitLab CI/CD.

Pre-release: Active development
cicd-sensor is currently in pre-release and under active development. Feedback is very welcome.

Demo

cicd-sensor GitHub Actions demo
Example: cicd-sensor added to a GitHub Actions workflow. The resulting reports are viewable in the GitHub job summary.

What cicd-sensor does

Detection: Detects supply-chain attacks at runtime using process ancestry (e.g. credential access from a process descended from npm install) and correlation across signals (e.g. multiple credential categories read in one job). Baseline rules target patterns seen in real CI/CD attacks.

Logs and evidence: Per run, cicd-sensor can emit logs for review, alerting, and forensics, routed through cicd-sensor Manager to cloud sinks like S3, GCS, and Pub/Sub. The cicd-sensor-action can also produce a graphical report and a build attestation per run. Your data stays under your control. cicd-sensor never sends anything to servers operated by the cicd-sensor project.

Getting Started

On GitHub-hosted runners, add the cicd-sensor action as the first step in your workflow.

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - uses: cicd-sensor/cicd-sensor-action@1935de498397aa7b9bf6ac7ca822ddb430a34843 # v0.0.31

See GitHub-hosted runner for details. For self-hosted runner fleets or GitLab CI/CD, choose a deployment path from the User Guide.

Why CI/CD runtime needs this

CI/CD pipelines build, release, deploy, and manage cloud infrastructure, and they hold the cloud credentials, signing keys, and registry tokens to do it. Supply-chain attackers run inside those jobs and disappear with the evidence when the job ends.

Most other runtimes have their open-source defenders: Falco, Tetragon, Tracee, Wazuh, OSQuery. Open-source coverage for CI/CD runtime has lagged behind. Sigstore proved where and how artifacts were built; cicd-sensor preserves what actually ran so teams can detect, respond, and audit.

Supported CI/CD Pipelines

cicd-sensor treats GitHub Actions and GitLab CI/CD as supported targets. It works on both public and private repositories, with no third-party SaaS dependency. For platform and runner environment status, see Platform support.

About the project

About the creator
cicd-sensor is an independent open-source project created and maintained by Hiroki Suezawa (@rung), author of the Common Threat Matrix for CI/CD Pipeline, contributor to the OWASP Top 10 CI/CD Security Risks, and early contributor to OSC&R / pbom.dev. cicd-sensor is the runtime defender that work has been pointing to.