Offensive CI/CD tooling reveals pipeline risks
Praetorian released Trajan, offensive tooling designed to simulate CI/CD attacks and expose pipelines that hold secrets or push to production announced. That practical testing paired with a 26‑point compliance checklist for pipelines highlights the push to validate defenses across ISO 27001/NIS2/DORA-aligned workflows published.
Praetorian published a launch post on March 6, 2026 describing Trajan as an open‑source CI/CD security engine that automates vulnerability detection and attack validation across GitHub Actions, GitLab CI, Azure DevOps and Jenkins. praetorian.com Trajan’s source and release artifacts are hosted on Praetorian’s GitHub repository (praetorian‑inc/trajan) and include attack‑automation modules and a multi‑platform scanning engine (release v1.0.0 present in the repo). github.com Plumber is an open‑source CLI and GitLab CI component that explicitly generates a Pipeline Bill of Materials (PBOM) and CycloneDX output for pipeline inventories, with documented integrations for Grype, Trivy and Dependency‑Track. github.com Plumber’s README enumerates concrete pipeline controls it detects — mutable image tags, unprotected branches, hardcoded jobs not from external includes/components, forbidden version patterns, and CI_DEBUG_TRACE variables that can leak secrets — and exposes those as configurable checks for automated gating. github.com Plumber’s CycloneDX PBOM output is designed for ingestion by vulnerability scanners and evidence‑management tools, enabling pipeline artifacts to be used in compliance mapping and reporting workflows tied to ISO 27001, NIS2 and DORA posture assessments. github.com
