BleedWatch Shield - your CI/CD pipeline's blind spots, illuminated.
CI/CD Shield reads the workflows, actions, permissions, secrets, and deployment paths that connect source changes to production. It catches exploitability in the pipeline layer where conventional EASM and SCA stop.
Coverage with explainable detection technique.
Workflow YAML and trigger policy
Workflow files are reviewed for pull_request_target misuse, unsafe shell interpolation, untrusted checkout paths, overly broad triggers, manual dispatch abuse, and branch-protection bypass patterns using deterministic rules plus semantic AI review.
Action supply chain
Third-party actions, composite action.yml files, mutable tags, abandoned maintainers, and risky transitive scripts are scored with registry context, commit freshness, and multi-LLM cross-validation to reduce false positives.
Secrets and permissions
Job permissions, environment inheritance, secret usage, deployment tokens, OIDC claims, and artifact upload paths are correlated so a weak workflow becomes an actionable exploit path instead of an isolated lint warning.
Deploy targets and evidence routing
The module maps workflow outputs to deploy hosts, cloud roles, container tags, release artifacts, and ownership metadata, then routes remediation to GitHub, Jira, Linear, Slack, or ServiceNow depending on your operating model.
A finding built for remediation, not screenshots.
Each module produces a structured evidence pack with severity, business impact, and a runbook excerpt that can be routed to Slack, Jira, Linear, ServiceNow, GitHub, webhook, or SIEM depending on tier.
PDF FINDING PREVIEW
pull_request_target workflow executes untrusted input with deploy token
Evidence pack
- Workflow uses pull_request_target and checks out attacker-controlled head_ref before running npm scripts.
- Job permissions include contents: write and id-token: write while environment deploy secrets are available.
- Composite action dependency is pinned to a mutable v2 tag instead of a commit SHA.
- GitHub branch-protection context shows the workflow can comment on and update release artifacts.
Business impact
An external contributor can influence a privileged job and potentially reach deployment material. The business impact is a supply-chain compromise path through CI/CD rather than a local repository defect.
Remediation runbook
1. Replace pull_request_target with pull_request for untrusted code. 2. Split privileged labeling from build execution. 3. Pin third-party actions by full SHA. 4. Reduce job permissions to read-only by default. 5. Re-run the workflow audit before merging.
Included where the workflow needs it.
| Tier | Included | Asset limits |
|---|---|---|
| Community | Not included | Core external scan only |
| Pulse | Included | 25 assets, GitHub Actions and GitLab CI audit |
| Shield | Included | 150 assets, advanced routing and ownership |
| Fortress | Included | 500 assets, active validation handoff |
| Sentinel | Included | Unlimited by engagement, managed CI/CD review |
Ships findings into the systems that already own remediation.
READY FOR REVIEW
Run this module against authorized scope.
Start with a free scan or route an enterprise module review to sales.