CI/CD

Question 1

Q: What does CI/CD stand for?

Answer 1

A: Continuous Integration and Continuous Deployment/Delivery.

Question 2

Q: What is the main goal of Continuous Integration (CI)?

Answer 2

A: To automate the building and testing of code with each commit.

Question 3

Q: What distinguishes Continuous Deployment from Continuous Delivery?

Answer 3

A: Continuous Deployment automates the full release to production.

Question 4

Q: Where are GitHub Actions workflow files stored?

Answer 4

A: In the .github/workflows/ directory.

Question 5

Q: What format are GitHub workflow files written in?

Answer 5

A: YAML.

Question 6

Q: What are GitHub “jobs” in a workflow?

Answer 6

A: A set of steps that execute on a runner.

Question 7

Q: What is the function of a GitHub runner?

Answer 7

A: To execute workflow jobs.

Question 8

Q: What event can trigger a GitHub Action workflow?

Answer 8

A: Events like push, pull_request, schedule, etc.

Question 9

Q: What file defines GitLab CI/CD pipelines?

Answer 9

A: .gitlab-ci.yml.

Question 10

Q: What are “stages” in GitLab pipelines?

Answer 10

A: They define the logical flow of a pipeline (e.g., build → test → deploy).

Question 11

Q: What are “jobs” in GitLab CI/CD?

Answer 11

A: Tasks that run in specific stages of the pipeline.

Question 12

Q: What is a GitLab runner used for?

Answer 12

A: To execute CI/CD jobs.

Question 13

Q: What are artifacts in CI/CD pipelines?

Answer 13

A: Files generated during jobs and passed to later stages.

Question 14

Q: Why should SOC teams monitor GitHub workflow file changes?

Answer 14

A: To detect unauthorized edits or malicious actions.

Question 15

Q: What can unauthorized third-party actions in workflows indicate?

Answer 15

A: Potential exploitation or abuse of CI/CD pipelines.

Question 16

Q: Why are secrets management important in pipelines?

Answer 16

A: Secrets can be exposed in logs or abused by attackers.

Question 17

Q: What should SOC teams monitor about runner environments?

Answer 17

A: Integrity, unauthorized access, and use of unapproved scripts/images.

Question 18

Q: What is a sign of crypto mining in CI/CD environments?

Answer 18

A: Abnormally long or resource-intensive jobs.

Question 19

Q: What is one method attackers use to move laterally via CI/CD?

Answer 19

A: Using compromised workflows to access other resources.

Question 20

Q: How can artifacts be abused by threat actors?

Answer 20

A: For malware delivery or data exfiltration.

Question 21

Q: What is a mitigation for secrets being exposed in pipeline logs?

Answer 21

A: Redacting logs and scanning for secrets.

Question 22

Q: What should trigger an alert in CI/CD monitoring?

Answer 22

A: Unauthorized workflow modification or access anomalies.

Question 23

Q: What tools should be integrated into CI/CD for security?

Answer 23

A: Code scanning, secret detection, and SIEM log integration.

Question 24

Q: What logs are valuable for SOC monitoring from GitHub?

Answer 24

A: GitHub Audit Logs.

Question 25

Q: What logs should be reviewed from GitLab for SOC analysis?

Answer 25

A: GitHub Audit Logs.

Question 26

Q: What is the best way to detect suspicious commit activity?

Answer 26

A: Analyze commit frequency, content, and origin.

Question 27

Q: How can SOC detect CI/CD token misuse?

Answer 27

A: By monitoring IP access, token usage frequency, and locations.

Question 28

Q: What should be periodically rotated in a CI/CD environment?

Answer 28

A: Secrets, tokens, and credentials.

Question 29

Q: Why should developers be trained on CI/CD security?

Answer 29

A: To prevent misconfigurations and reduce insider threats.

Question 30

Q: What is the role of a SOC team in CI/CD security?

Answer 30

A: To monitor, detect, and respond to CI/CD pipeline threats.