⚙️

DevOps / CI-CD Penetration Testing

Pipeline injection, supply chain attacks, hardcoded secrets, IaC misconfigs, container security, and SBOM/SCA vulnerability discovery across your entire DevOps surface.

Prerequisites

  • Authorization to test CI/CD pipelines, source control, and container infrastructure
  • Access tokens for at least one of: GitHub, GitLab, Bitbucket, Azure DevOps, Jenkins
  • Repository URLs or organization names confirmed in scope
  • Container registry credentials (optional, for private image scanning)
  • Cloud provider credentials with read-only IAM for IaC auditing (optional)
  1. 1

    Select DevOps / CI-CD from Home Screen

    Click the ⚙️ DevOps / CI-CD card on the Home Screen. The Mission Control Wizard opens pre-configured for DevOps assessment.

  2. 2

    Complete the DevOps Wizard

    Environment → Production / Staging / Dev Platform(s) → GitHub / GitLab / Bitbucket / Jenkins / Azure DevOps / CircleCI / ArgoCD / FluxCD Org / Repo → github.com/my-org or individual repo URL Access Token → GitHub PAT / GitLab token / Jenkins API key Container Reg → Docker Hub / ECR / GCR / GHCR (optional) IaC in scope → Terraform / CloudFormation / Kubernetes manifests - Yes/No Attack Focus → Secrets | Pipeline Injection | Container | IaC | Supply Chain | SBOM/SCA Intensity → Standard (read-only) | Aggressive (active pipeline test) | Full
  3. 3

    Review AI Test Plan and Launch

    Claude generates a phase-based DevOps test plan based on the platforms and repos detected. Review attack categories, adjust scope, click Launch Scan.

  4. 4

    Monitor Secrets and Pipeline Findings Live

    The Scan Dashboard shows live findings as PhantomYerra scans git history, pipeline configs, container images, and IaC. Secrets findings appear first: each shows the file path, line number, and masked secret value for validation.

  5. 5

    Review Supply Chain and SBOM Analysis

    The Supply Chain tab shows a full dependency tree with CVE matches, license violations, and typosquatting alerts. Each vulnerable dependency shows CVSS score, fix version, and exploitability rating.

  6. 6

    Download DevOps Security Report

    Reports → DevOps Report → includes: SLSA coverage table, supply chain risk matrix, secrets exposure list, pipeline injection findings, container CVE report, IaC misconfiguration list, and compliance mapping (CIS Docker, NIST SSDF, OWASP Top 10 CI/CD).

Claude's 7-Phase DevOps Assessment

  • Phase 1: Repository enumeration - discover all repos, branches, workflows, pipeline configs
  • Phase 2: Secrets scanning - Trufflehog + Gitleaks across full git history (all commits, not just HEAD)
  • Phase 3: Pipeline injection analysis - Semgrep rules for GITHUB_ENV injection, untrusted PR inputs, command injection in CI steps
  • Phase 4: IaC misconfiguration - Checkov + KICS against Terraform, CloudFormation, Kubernetes, Helm, Dockerfile
  • Phase 5: Container security - Trivy image scan for OS + library CVEs, Dockerfile best-practice violations (root user, privileged, exposed ports)
  • Phase 6: SBOM + SCA - Syft generates SBOM (CycloneDX format), Grype matches against NVD + GitHub Advisory DB, Anchore enforces policy gates
  • Phase 7: Attack chain correlation - Claude links secrets → pipeline access → cloud credential escalation into a full supply chain attack narrative
⏱️ Typical duration: 20 minutes (single repo) to 3 hours (large org with 100+ repos, multiple platforms).

Attack Categories

Category What PhantomYerra Tests Tools Used
Supply Chain Attacks Malicious dependencies, typosquatting npm/pip/maven/cargo packages, compromised GitHub Actions, pinned vs floating action versions Grype, Syft, Semgrep
Pipeline Injection Untrusted PR input to CI steps, GITHUB_ENV / GITHUB_PATH write from user input, command injection in shell: run blocks, environment variable exfiltration Semgrep (p/github-actions, p/ci-cd-security)
Hardcoded Secrets AWS/GCP/Azure keys, API tokens, private RSA/EC keys, passwords, JWT secrets in code, config files, and full git history (all commits) Trufflehog, Gitleaks
RBAC Misconfiguration Overly permissive branch protections, missing required PR reviews, external admin collaborators, org-level SSO bypass, weak repo visibility settings GitHub/GitLab/AzDO API audit
Container Security Privileged containers, root user in runtime, exposed unnecessary ports, base image CVEs, unpatched OS packages, writable root filesystem Trivy, Checkov, Anchore
IaC Misconfigs Public S3 buckets, open security groups (0.0.0.0/0), disabled encryption at rest, missing audit logging, world-readable IAM roles, disabled MFA delete Checkov, KICS
Dependency Vulnerabilities CVEs in npm, pip, maven, gradle, cargo, go.mod packages - matched against NVD + GitHub Advisory DB + OSV + CISA KEV Grype, Syft, Trivy

Supported Platforms

Platform What PhantomYerra Checks
GitHub / GitHub Actions Full git history secrets scan, workflow injection (untrusted PR inputs, GITHUB_ENV write), branch protection audit, Action version pinning, org-level RBAC
GitLab / GitLab CI .gitlab-ci.yml injection patterns, variable exposure in CI logs, protected branch rules, deploy key audit, registry image scanning
Bitbucket Pipelines bitbucket-pipelines.yml injection, repository variable leakage, access key exposure, pipe usage from unverified publishers
Jenkins Groovy script injection in Jenkinsfile, unauthenticated API endpoint check, agent privilege escalation, plugin CVE matching, build secret exposure
Azure DevOps Pipeline YAML injection, service connection over-permission, variable group secret exposure, repo policy gaps, ADO token scope audit
CircleCI Context variable leakage, orb usage from unverified publishers, SSH key exposure in job logs, approval step bypass
ArgoCD / FluxCD RBAC misconfiguration, unauthenticated API server exposure, Git repo write-back attack surface, app-of-apps privilege escalation, SSO bypass

DevOps Security Report

Every DevOps assessment produces a structured Technical Report with the following sections:

Quick Start

  1. 1

    Select DevOps Surface

    Click ⚙️ DevOps / CI-CD on the Home Screen.

  2. 2

    Enter Platform and Access Token

    In the wizard, select your CI/CD platform (e.g. GitHub), enter your organization name or repository URL, and paste your personal access token. Token needs: repo, read:org, read:packages scopes.

  3. 3

    Launch Scan

    Review the AI-generated test plan and click Launch Scan. PhantomYerra runs all phases autonomously: findings stream in real time to the Scan Dashboard.

Common Issues

Ensure the tool has access to the full git history, not just the working tree. If the repo was shallow-cloned (--depth 1), secrets in older commits will not appear. In the wizard, ensure "Full history scan" is enabled. For GitHub, the PAT must have the repo scope - not just public_repo.

Some OS-level CVEs in base images (e.g. debian:slim, ubuntu:22.04) are marked as "will not fix" by the distribution maintainer because they are unexploitable in the containerized context. Trivy shows these by default. In PhantomYerra's container scan settings, enable "Ignore unfixed" to filter these out, or review them manually to confirm the distro's "won't fix" assessment is accurate for your threat model.

Use the "Skip Paths" field in the wizard to exclude directories you don't control (e.g. .terraform/, vendor/, node_modules/, generated Helm chart templates). You can also configure per-resource checkov:skip annotations in your Terraform/CloudFormation files to suppress known accepted risks.

Related Topics

☁️ Cloud Security 🐳 Container Security 🔬 SAST 📊 Reports
© Ravi Yerra. All Rights Reserved.
Full Disclosure

264 modules · 30+ surfaces · 14 vuln families · 120+ classes

The sections above describe what this surface tests. For the complete enumeration of every vulnerability class PhantomYerra covers across all surfaces — with scanner module names — see the Coverage Matrix.

View Full Coverage Matrix →