Between March 19–31, 2026, four supply chain attacks compromised Trivy, Checkmarx KICS, LiteLLM, and axios — all targeting CI/CD pipelines as the attack surface. Three attack patterns emerged: poisoned tools/actions, packaging misconfigurations leaking IP, and vulnerabilities in transitive dependencies. GitLab Pipeline Execution Policies (PEPs) can address each pattern by injecting mandatory, unskippable jobs into every pipeline. Three ready-to-use open-source policies are provided: Artifact Hygiene (blocks source map leaks and oversized packages), Dependency Integrity (detects lockfile tampering and blocked package versions), and Tool Integrity (enforces an approved image allowlist). Recommendations include pinning dependencies to checksums, running pre-execution integrity checks, auditing published artifacts, detecting dependency drift, and centralizing policy management.
Table of contents
Trusted by millions, compromised in minutesThe patterns behind these attacksHow GitLab Pipeline Execution Policies address each attack patternBeyond PEPs: GitLab’s supply chain defensesWhat this means for your organizationProtect your pipelines with GitLabSort: