Poisoned Pipeline Execution (PPE) is a real and growing CI/CD threat that requires no privileged access — only a branch that accepts pull requests and a pipeline that runs whatever it receives. The post explains three PPE variants (Direct, Indirect, Public), references real-world incidents including SolarWinds, PyTorch, and the tj-actions compromise, and highlights two PHPUnit security advisories as concrete Indirect PPE examples. The core defensive argument is that attack surface reduction — deleting unused branches — is more effective than adding protection layers to things that shouldn't exist. Additional defenses covered include ephemeral runners, branch protection rules, OIDC-based secrets management, and pipeline monitoring. Shared responsibility between tool maintainers and operators is also addressed.
Table of contents
What is Poisoned Pipeline Execution?When theory becomes practiceReduction as defenceDefence in depthShared responsibilitySort: