Ist das nur für regulierte Branchen relevant?

Nein. Regulierung schafft Dokumentationspflichten, das Risiko selbst besteht unabhängig davon. Wenn Ihre Pipeline ausliefert, was Ihre Kunden nutzen, ist sie schützenswert — ob Sie im Maschinenbau, im Handel oder in der Beratung tätig sind.

Wie lange dauert eine typische Pipeline-Härtung?

Eine erste, spürbare Risikoreduktion erreichen wir in der Regel in zwei bis vier Wochen. Die vollständige Umstellung auf OIDC, getrennte Rechte und automatische Rotation dauert je nach Größe Ihrer Landschaft zwei bis drei Monate. Wir priorisieren nach Risiko, nicht nach Vollständigkeit.

Was ist mit den Secrets, die schon seit Jahren laufen?

Die nehmen wir uns strukturiert vor. Erst Inventarisierung, dann Ablösung durch kurzlebige Alternativen, schließlich Rotation und Überwachung. Wir schalten nichts einfach ab, sondern sorgen dafür, dass der Umstieg keine laufenden Prozesse blockiert.

Müssen wir dafür unsere Entwicklungsprozesse umstellen?

Nein. Wir ändern nichts am Tages-Workflow Ihrer Entwickler. Die Härtung geschieht im Pipeline-Code und in der Rechte-Modellierung. Ihre Teams merken die Änderung daran, dass bestimmte gefährliche Abkürzungen nicht mehr funktionieren — und dass Reviews klarer werden.

Wir nutzen GitHub Actions/GitLab CI — ist das sicher genug?

Die Plattform ist solide, entscheidend ist, wie Sie sie konfigurieren. Ob GitHub Actions, GitLab CI oder ein anderer Anbieter: Ohne kurze Token-Lebenszeiten, getrennte Rechte und Branch-Protections bleibt das Risiko hoch. Wir härten innerhalb Ihrer bestehenden Plattform, ein Umzug ist selten nötig.

Your CI pipeline isn't a tool. It's the largest entry point into your organisation.

Why the CI/CD pipeline in mid-market organisations is often the least secure system in the company — and how to harden it systematically.

25. March 2026

When we ask about risk, organisations usually name the usual suspects: public web servers, email gateways, VPN access, end-user devices in home offices. The CI/CD pipeline rarely makes that list. It feels like an internal space, access-controlled, looked after by specialists, technical and decoupled from the rest of IT. In reality, in most mid-market organisations it is the largest entry point we see.

That comes down to a very uncomfortable property of modern pipelines: they have full access to everything you want to protect in production. Production credentials, cloud access, signing keys, deployment paths, database migrations. Whoever controls the pipeline controls delivery. Whoever controls delivery controls your product.

The blind spot in the mid-market

The protective assumption is often: “Our pipeline only runs internally.” That's frequently true in terms of network segmentation. It isn't true in terms of attack surface. A pipeline executes arbitrary code on every commit. That code comes from a wide range of sources: your own repositories, external packages, container images, OCI registries, pre-commit hooks. Each of those is a supply-chain element. Each is therefore a potential attack vector.

We regularly see pipelines that work with a single, long-lived secret that has access to the entire production environment. We see repositories where every developer is effectively an admin of the build infrastructure. We see pull requests from external contributors that could exfiltrate build logs to private webhooks. And we see systems where no-one can say any more which tokens actually need rotating, because they're stored in too many places.

How we harden pipelines systematically

In our DevSecOps-as-a-Service operation we approach these risks with a consistent, documented method. Nothing magical, but very disciplined.

Secret management with short lifetimes

Long-lived secrets are our first candidate for elimination. We work with dynamically issued credentials, typically via OIDC federation to your cloud account or via central secret managers with short TTLs. A deployment job receives exactly the token it needs for that one run, and nothing beyond that. After completion the token is worthless.

Separated rights, clear roles

Pipelines don't need root rights, they need precisely scoped permissions. We split your pipeline into jobs with different identities. The build step doesn't see production credentials. The deploy step has no write access to your artefact registry. The migration step may change the database but can't push images. A compromised job therefore doesn't blow open the whole chain.

Minimal access to sources and targets

Who may write to your repository, who may change workflows, who approves environments, who uses which runners: these are role questions we model cleanly once and then put into code. That includes branch protections, required-reviewer rules, signed commits, signed artefacts and hardened runners.

Rotation as a process, not a project

Secrets are rotated because risk grows over time, not because an audit is coming. In our operating models rotation is an automatic process with clear ownership, a documented rotation window and alerting when a secret gets older than it should.

What this changes for you

The result of these measures is rarely spectacular and that is precisely what makes it valuable. Your pipeline stays fast, but it is no longer a master key. An attacker who takes over a developer account is still a long way from production. A compromised package in a build can't pull out long-lived tokens, because there aren't any. An audit can be prepared in hours instead of weeks, because rights, roles and rotations are documented and automated.

For you as a managing director or head of IT that means: you reduce a real, underestimated risk and at the same time gain pace, because your teams are no longer stuck in unclear responsibilities.

[Translate to English:] Leicht geöffnete Serverraumtür mit hellem Lichtstreif, der in einen dunklen Gang fällt.

30 minutes that make your pipeline safer.

An honest stocktake

If you're unsure how things stand in your pipeline today, a small but focused check is worth doing. We have a fixed set of questions for it that gives a robust impression in one or two conversations: where do your secrets live, who may change workflows, how are external dependencies pulled in, what happens during an incident?

30 minutes, no pitch. We listen and tell you honestly where we see action needed and where we don't.

Book a slot directly →

Häufige Fragen

Was uns Kundinnen und Kunden zu diesem Thema am häufigsten fragen — offen beantwortet.

Is this only relevant for regulated industries?+

No. Regulation creates documentation duties; the risk itself exists regardless. If your pipeline delivers what your customers use, it is worth protecting — whether you're in mechanical engineering, retail or consulting.

How long does typical pipeline hardening take?+

An initial, noticeable risk reduction we usually achieve in two to four weeks. The full move to OIDC, separated permissions and automated rotation takes between two and three months depending on the size of your landscape. We prioritise by risk, not by completeness.

What about the secrets that have been running for years?+

We tackle them in a structured way. First an inventory, then replacement with short-lived alternatives, finally rotation and monitoring. We don't simply switch anything off; we make sure the changeover doesn't block ongoing processes.

Do we have to change our development processes for this?+

No. We change nothing about your developers' day-to-day workflow. The hardening happens in the pipeline code and the permissions modelling. Your teams notice the change in that certain dangerous shortcuts no longer work — and that reviews become clearer.

We use GitHub Actions / GitLab CI — is that secure enough?+

The platform is solid; what matters is how you configure it. Whether GitHub Actions, GitLab CI or another vendor: without short token lifetimes, separated permissions and branch protections, the risk stays high. We harden within your existing platform; a migration is rarely necessary.