* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Application Security](https://origin-researchcenter.paloaltonetworks.com/blog/category/application-security/)
* Protecting Your Delivery ...

# Protecting Your Delivery Pipeline: Extensive CI/CD Security with Prisma Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fannouncing-ci-cd-security-with-prisma-cloud%2F)  
[](https://twitter.com/share?text=Protecting+Your+Delivery+Pipeline%3A+Extensive+CI%2FCD+Security+with+Prisma+Cloud&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fannouncing-ci-cd-security-with-prisma-cloud%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fannouncing-ci-cd-security-with-prisma-cloud%2F&title=Protecting+Your+Delivery+Pipeline%3A+Extensive+CI%2FCD+Security+with+Prisma+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/announcing-ci-cd-security-with-prisma-cloud/&ts=markdown)  
\[\](mailto:?subject=Protecting Your Delivery Pipeline: Extensive CI/CD Security with Prisma Cloud)  
Link copied  
By [Jonathan Bregman](https://www.paloaltonetworks.com/blog/author/jonathan-bregman/?ts=markdown "Posts by Jonathan Bregman")  
Jul 27, 2023  
5 minutes  
[Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown)  
[AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown)  
[CI/CD Security](https://www.paloaltonetworks.com/blog/tag/ci-cd-security/?ts=markdown)

With the rise in attacks on continuous integration and continuous delivery (CI/CD) environments, it's no surprise that the U.S. Government recently released guidance to [help organizations understand their risks and defend their pipelines](https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joint-guidance-defending-continuous-integrationcontinuous-delivery-cicd). CI/CD pipelines are critical to cloud-native software development and host highly sensitive data and credentials. But they often exist outside the purview of traditional AppSec teams.

To help AppSec practitioners secure their pipelines, we're excited to announce CI/CD Security by Prisma Cloud.

With [graph-based CI/CD security](https://www.paloaltonetworks.com/prisma/cloud/ci-cd-security/) in the industry's most comprehensive code-to-cloud cloud-native application protection platform (CNAPP), Prisma Cloud gives you:

* Unmatched visibility into your engineering ecosystem
* Protection from the OWASP Top 10 CI/CD Risks
* Pipeline Posture Management
* Attack Path Analysis via the Cloud Application Graph™

Let's dive into the details.

## Unmatched Visibility into the Engineering Ecosystem

As developers commit code to source control, most organizations have deployed various types of code scanners to detect misconfigurations in templates, vulnerabilities in open-source packages, exposed secrets and other issues. The best tools provide granular fix guidance directly for developers, but given the diversity of code and supporting scanners, [AppSec](https://www.paloaltonetworks.com/blog/prisma-cloud/appsec-engineering-ecosystem/) teams are left with a fragmented view of risk spread across multiple siloed tools.

What's more, most organizations lack visibility into developers contributing to trusted artifact registries, which technologies and frameworks are in use, and how to export a [software bill of materials (SBOM)](https://www.paloaltonetworks.com/cyberpedia/what-is-software-bill-materials-sbom) of the environment.

Prisma Cloud's new Application Security dashboard unifies visibility across the engineering ecosystem. From a single pane, [AppSec](https://www.paloaltonetworks.com/cyberpedia/appsec-application-security) teams gain visibility across code repositories, contributors, technologies used and pipelines connected, along with specific code risks. By understanding which repositories and pipelines connect to production, teams can easily prioritize risk with full infrastructure context.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/07/word-image-299088-1.png)
Figure 1: The Application Security dashboard provides a centralized view of your entire engineering ecosystem.

## Defending Against the OWASP Top 10 CI/CD Risks

[Attacks that seek to breach delivery pipelines](https://events.dzone.com/dzone/CI-CD-Attack-Scenarios-How-to-Protect-Your-Production-Environment) are far too common, and up until recently no industry-recognized framework was available. To provide guidance on attack vectors and best practices to mitigate them, Prisma Cloud's world-class AppSec researchers developed and published a formally recognized industry benchmark --- the [OWASP Top 10 CI/CD Security Risks](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security) project.

Organizations can benefit from the project at any stage in their CI/CD security journey. For example, it's easy for teams to use the project's guidance to help identify misconfigurations for version control systems (VCS) and [CI/CD pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security). Those misconfigurations could easily lead to code tampering, credential theft and ultimately a runtime breach.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/07/word-image-299088-2.jpeg)
Figure 2: The OWASP Top 10 CI/CD Security Risks

## Pipeline Posture Management

To embrace [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops), it's essential to observe the posture of your delivery pipeline, ensure it's protected against the Top 10 CI/CD risks and then report your findings to leadership. Prisma Cloud's new dashboard provides continuous visibility across the critical pipeline issues with added context like system risks and both the number and frequency of events to accurately measure and alert on criticality.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/07/word-image-299088-3.png)
Figure 3: Prisma Cloud provides continuous pipeline posture management against the OWASP Top 10 CI/CD Risks.

## Attack Path Analysis via the Cloud Application Graph™

The [power that graph databases bring to contextualizing security](https://www.paloaltonetworks.com/blog/prisma-cloud/visualizing-ci-cd-ecosystem-from-attackers-perspective/) insights can't be overstated. The ability to correlate multiple risk signals simultaneously to map an attacker's pathway to a breach is critical to delivering high fidelity alerts for AppSec teams. The Prisma Cloud Application Graph™ provides a dynamic visualization of your engineering ecosystem that allows you to better understand and analyze the environment and relationships between all artifacts from code to deployment.

By effectively modeling every asset, you can map attack paths. This is critical as you protect your delivery pipelines from today's sophisticated attacks. For example, cross-platform misconfigurations like [poisoned pipeline execution (PPE)](https://www.paloaltonetworks.com/blog/prisma-cloud/poisoned-pipeline-execution-deep-dive)are only discoverable with graph-based analysis, which is why Prisma Cloud's CI/CD Security is built off of the world's first Application Graph.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/07/word-image-299088-4.png)
Figure 4: The Prisma Cloud Application Graph™ helps customers uncover breach paths.

## CI/CD Security and AppSec: Looking to the Future

In this modern threat landscape, [protecting the delivery pipeline](https://start.paloaltonetworks.com/gartner-devsecops-tools-for-secure-software-delivery.html) is more important than ever. Going forward, security and risk leaders must prioritize hardening CI/CD systems and processes as they begin to [rearchitect their AppSec programs](https://www.paloaltonetworks.com/blog/prisma-cloud/ci-cd-pipeline-security-strategy/) to account for the evolving threat landscape.

Since its inception, Prisma Cloud has been at the forefront of delivering solutions for the most pressing cloud security challenges. With the industry's only code-to-cloud CNAPP, customers can now protect their delivery pipeline with graph-based CI/CD security.

To watch a live demo of CI/CD Security by Prisma Cloud, visit us at booth #1332 at BlackHat USA 2023. We'll also highlight our research with related talks at BSidesLV and DEFCON this year:

* *Actions Have Consequences: The Overlooked Security Risks in Third-Party GitHub Actions*

Wednesday, August 9 at 2:30pm PDT, [BSidesLV](https://bsideslv.org/talks#AYWS3V)

* *The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree*

Tuesday, August 8 at 5:00pm PDT, [BSidesLV](https://bsideslv.org/talks#HWCBP7)

Saturday, August 12 at 1:30pm PDT, [DEFCON](https://defcon.org/)

Check out our[Application Security Practitioner's Guide](https://www.paloaltonetworks.com/cyberpedia/application-security), and if you want to learn which attack vectors you should prioritize at the start of your CI/CD security journey, read this technical guide on the [Top 10 CI/CD Security Risks](https://www.paloaltonetworks.com/resources/whitepapers/top-10-cicd-security-risks).

*** ** * ** ***

## Related Blogs

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown)

[#### The Evolution of Cloud-Native Application Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/evolution-cloud-native-application-security/)

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown)

[#### Poisoned Pipeline Execution (PPE): A Technical Deep Dive](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/poisoned-pipeline-execution-deep-dive/)

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown)

[#### Visualizing Your CI/CD Ecosystem From an Attacker's Perspective](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/visualizing-ci-cd-ecosystem-from-attackers-perspective/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### An Inside Look into ASPM: Five Findings from New Industry Research](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/aspm-research-omdia/)

### [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [ASPM](https://www.paloaltonetworks.com/blog/cloud-security/category/aspm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Palo Alto Networks and Veracode: Unifying Application Security from Code to Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/application-security-veracode-partnership/)

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Supply Chain Security](https://www.paloaltonetworks.com/blog/cloud-security/category/supply-chain-security/?ts=markdown)

[#### Shai-Hulud 2.0: How Cortex Helps Protect Against the Resurgent npm Worm](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/shai-hulud-2-0-npm-worm-detection-blocking/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language