# CICDBins — CI/CD Red Team Quick Reference > GTFOBins for CI/CD pipelines. A structured reference of attack techniques, > payloads, prerequisites, and detection guidance for CI/CD platforms used > in authorized red team engagements and security research. - URL: https://cicd-bins.harekrishnarai.me/ - Full content: https://cicd-bins.harekrishnarai.me/llms-full.txt - Sitemap: https://cicd-bins.harekrishnarai.me/sitemap.xml - Source: https://github.com/harekrishnarai/cicd-bins ## About CICDBins documents offensive security techniques targeting CI/CD pipelines. Each technique includes: attack description, exploit payloads, required access level (prerequisite), affected platforms, and remediation guidance. The reference covers injection, secrets exfiltration, RCE, privilege escalation, supply chain attacks, persistence, reconnaissance, and more. ## Platforms - **GitHub Actions**: 22 techniques - **GitLab CI**: 8 techniques - **Jenkins**: 2 techniques - **CircleCI**: 3 techniques - **Azure DevOps**: 3 techniques - **Bitbucket Pipelines**: 3 techniques - **AWS CodeBuild**: 3 techniques - **Argo CD**: 3 techniques ## Categories - **Injection**: 13 techniques - **Secrets**: 21 techniques - **RCE**: 20 techniques - **Persistence**: 10 techniques - **Privilege Escalation**: 14 techniques - **Supply Chain**: 9 techniques - **Exfiltration**: 10 techniques - **Reconnaissance**: 5 techniques - **Self-Hosted**: 8 techniques ## Access Level Required (Prerequisites) - **Code Write Access** (`code-write`): 18 techniques - **Open Pull Request** (`pull-request`): 11 techniques - **Trigger Pipeline** (`pipeline-trigger`): 1 technique - **Repository Admin** (`repo-admin`): 5 techniques - **Org/Cluster Admin** (`org-admin`): 3 techniques - **Runner Shell (RCE)** (`runner-shell`): 9 techniques ## Techniques (47 total) ### GitHub Actions - [Action Typosquatting](https://cicd-bins.harekrishnarai.me/#action-typosquatting) - Categories: Supply Chain, Secrets, RCE - Requires: Code Write Access - [Artifact Poisoning](https://cicd-bins.harekrishnarai.me/#artifact-poisoning) - Categories: Supply Chain, Persistence - Requires: Code Write Access - [Branch Protection Bypass](https://cicd-bins.harekrishnarai.me/#branch-protection-bypass) - Categories: Privilege Escalation, Persistence - Requires: Repository Admin - [Cache Poisoning](https://cicd-bins.harekrishnarai.me/#cache-poisoning) - Categories: Supply Chain, Persistence - Requires: Code Write Access - [CI/CD Environment Reconnaissance](https://cicd-bins.harekrishnarai.me/#cicd-recon) - Categories: Reconnaissance - Requires: Open Pull Request - [Cloud Metadata SSRF](https://cicd-bins.harekrishnarai.me/#cloud-metadata-ssrf) - Categories: Secrets, Exfiltration, Privilege Escalation, Self-Hosted - Requires: Runner Shell (RCE) - [Dependency Confusion Attack](https://cicd-bins.harekrishnarai.me/#dependency-confusion) - Categories: Supply Chain, RCE - Requires: Open Pull Request - [Docker Socket Abuse](https://cicd-bins.harekrishnarai.me/#docker-socket-abuse) - Categories: RCE, Privilege Escalation, Self-Hosted - Requires: Runner Shell (RCE) - [Environment Gate Bypass](https://cicd-bins.harekrishnarai.me/#environment-gate-bypass) - Categories: Privilege Escalation, Secrets - Requires: Repository Admin - [GITHUB_TOKEN Abuse](https://cicd-bins.harekrishnarai.me/#github-token-abuse) - Categories: Secrets, Privilege Escalation - Requires: Code Write Access - [Log Masking Bypass](https://cicd-bins.harekrishnarai.me/#log-masking-bypass) - Categories: Secrets, Exfiltration - Requires: Runner Shell (RCE) - [Network Egress Abuse](https://cicd-bins.harekrishnarai.me/#network-egress-abuse) - Categories: Exfiltration, Reconnaissance, Self-Hosted - Requires: Runner Shell (RCE) - [OIDC Token Theft for Cloud Access](https://cicd-bins.harekrishnarai.me/#oidc-token-theft) - Categories: Secrets, Exfiltration, Privilege Escalation - Requires: Code Write Access - [Pipeline Parameter Injection](https://cicd-bins.harekrishnarai.me/#pipeline-param-injection) - Categories: Injection, RCE - Requires: Open Pull Request - [pull_request_target Privilege Abuse](https://cicd-bins.harekrishnarai.me/#pull-request-target-abuse) - Categories: Injection, Secrets, RCE - Requires: Open Pull Request - [GitHub Actions Quick Wins Checklist](https://cicd-bins.harekrishnarai.me/#quick-wins) - Categories: Reconnaissance, Secrets, Injection - Requires: Open Pull Request - [Repository Secret Mining](https://cicd-bins.harekrishnarai.me/#repo-mining) - Categories: Reconnaissance, Secrets - Requires: Open Pull Request - [Script Injection via PR Title](https://cicd-bins.harekrishnarai.me/#script-injection-pr-title) - Categories: Injection, RCE - Requires: Open Pull Request - [Secrets Exfiltration via Environment Dump](https://cicd-bins.harekrishnarai.me/#secrets-exfil-env-dump) - Categories: Secrets, Exfiltration - Requires: Runner Shell (RCE) - [Self-Hosted Runner RCE](https://cicd-bins.harekrishnarai.me/#self-hosted-runner-rce) - Categories: RCE, Persistence, Self-Hosted - Requires: Open Pull Request - [Webhook Trigger Abuse](https://cicd-bins.harekrishnarai.me/#webhook-trigger-abuse) - Categories: Injection, RCE - Requires: Repository Admin - [Workflow Backdoor via GITHUB_TOKEN](https://cicd-bins.harekrishnarai.me/#workflow-backdoor) - Categories: Persistence, RCE - Requires: Code Write Access ### GitLab CI - [CI Variable and Job Token Exfiltration](https://cicd-bins.harekrishnarai.me/#gitlab-ci-variable-exfiltration) - Categories: Secrets, Exfiltration - Requires: Code Write Access - [.gitlab-ci.yml Backdoor via Maintainer Access](https://cicd-bins.harekrishnarai.me/#gitlab-ci-yml-backdoor) - Categories: Persistence, Supply Chain, Secrets - Requires: Code Write Access - [Dependency Proxy Cache Poisoning](https://cicd-bins.harekrishnarai.me/#gitlab-dependency-proxy-poisoning) - Categories: Supply Chain, RCE - Requires: Code Write Access - [Pipeline Trigger Token Abuse](https://cicd-bins.harekrishnarai.me/#gitlab-pipeline-trigger-token-abuse) - Categories: Secrets, Injection, Persistence - Requires: Trigger Pipeline - [Protected Branch and Environment Bypass](https://cicd-bins.harekrishnarai.me/#gitlab-protected-branch-bypass) - Categories: Privilege Escalation, Persistence - Requires: Repository Admin - [Remote Include Injection](https://cicd-bins.harekrishnarai.me/#gitlab-remote-include-injection) - Categories: Injection, Supply Chain, RCE - Requires: Code Write Access - [Script Injection via Branch / Tag Name](https://cicd-bins.harekrishnarai.me/#gitlab-script-injection-branch-name) - Categories: Injection, RCE - Requires: Code Write Access - [Shared Runner Abuse and Fingerprinting](https://cicd-bins.harekrishnarai.me/#gitlab-shared-runner-abuse) - Categories: Reconnaissance, Secrets, Self-Hosted - Requires: Open Pull Request ### Jenkins - [Jenkins Agent Node Privilege Escalation](https://cicd-bins.harekrishnarai.me/#jenkins-agent-privesc) - Categories: RCE, Privilege Escalation, Persistence, Self-Hosted - Requires: Runner Shell (RCE) - [Jenkins Script Console RCE](https://cicd-bins.harekrishnarai.me/#jenkins-script-console) - Categories: RCE, Privilege Escalation, Self-Hosted - Requires: Org/Cluster Admin ### CircleCI - [Context Secrets Exfiltration](https://cicd-bins.harekrishnarai.me/#circleci-context-secrets-exfil) - Categories: Secrets, Exfiltration - Requires: Code Write Access - [Malicious Orb Injection](https://cicd-bins.harekrishnarai.me/#circleci-orb-injection) - Categories: Supply Chain, RCE - Requires: Org/Cluster Admin - [Pipeline Parameter Injection](https://cicd-bins.harekrishnarai.me/#circleci-pipeline-parameter-injection) - Categories: Injection, RCE - Requires: Open Pull Request ### Azure DevOps - [Self-Hosted Agent Pool Compromise](https://cicd-bins.harekrishnarai.me/#azure-devops-agent-pool-compromise) - Categories: Persistence, Privilege Escalation, Self-Hosted - Requires: Runner Shell (RCE) - [Pipeline Variable Injection](https://cicd-bins.harekrishnarai.me/#azure-devops-pipeline-variable-injection) - Categories: Injection, RCE - Requires: Code Write Access - [Service Connection Abuse](https://cicd-bins.harekrishnarai.me/#azure-devops-service-connection-abuse) - Categories: Secrets, Privilege Escalation - Requires: Repository Admin ### Bitbucket Pipelines - [Bitbucket Pipelines OIDC Token Abuse](https://cicd-bins.harekrishnarai.me/#bitbucket-oidc-misconfiguration) - Categories: Secrets, Privilege Escalation - Requires: Code Write Access - [Bitbucket Pipelines Variable Injection via Branch Name](https://cicd-bins.harekrishnarai.me/#bitbucket-pipeline-variable-injection) - Categories: Injection, Secrets - Requires: Code Write Access - [Bitbucket Repository Variable Exfiltration](https://cicd-bins.harekrishnarai.me/#bitbucket-repository-variable-exfil) - Categories: Secrets, Exfiltration - Requires: Open Pull Request ### AWS CodeBuild - [AWS CodeBuild Buildspec Injection via S3 / External Source](https://cicd-bins.harekrishnarai.me/#codebuild-buildspec-injection) - Categories: Injection, RCE - Requires: Code Write Access - [AWS CodeBuild Environment Variable & SSM Parameter Exfiltration](https://cicd-bins.harekrishnarai.me/#codebuild-environment-variable-exfil) - Categories: Secrets, Exfiltration - Requires: Code Write Access - [AWS CodeBuild IAM Role Privilege Escalation](https://cicd-bins.harekrishnarai.me/#codebuild-iam-role-privilege-escalation) - Categories: Privilege Escalation, RCE - Requires: Runner Shell (RCE) ### Argo CD - [Argo CD Repository Credential & Cluster Secret Exfiltration](https://cicd-bins.harekrishnarai.me/#argocd-secret-exfil) - Categories: Secrets, Exfiltration - Requires: Runner Shell (RCE) - [Argo CD Git Repository Poisoning](https://cicd-bins.harekrishnarai.me/#argocd-git-repo-poisoning) - Categories: Supply Chain, Injection - Requires: Code Write Access - [Argo CD RBAC Misconfiguration — Unauthorized Sync/Exec](https://cicd-bins.harekrishnarai.me/#argocd-rbac-misconfiguration) - Categories: Privilege Escalation, RCE - Requires: Org/Cluster Admin ## Optional - [Complete technique content with code examples](https://cicd-bins.harekrishnarai.me/llms-full.txt) - [Flowlyt — AI-powered CI/CD security scanner](https://github.com/harekrishnarai/flowlyt)