PIPELINE

CI/CD Attack Engine — supply chain, code injection, cloud pivot. Compromise the pipeline. Own the cloud.
8
Subsystems
77
Tests
25
ARMORY Payloads
3
Clearance Levels
pip install red-specter-pipeline
pull_request_target runs with write permissions for fork PRs / AI code review bots are prompt-injectable / GitHub Actions pinned to floating tags are supply chain targets / Cache poisoning crosses the fork trust boundary / OIDC tokens pivot directly to AWS GCP Azure / Your CI pipeline has write access to production / Clinejection — Feb 2026 — AI reviewer hijack pull_request_target runs with write permissions for fork PRs / AI code review bots are prompt-injectable / GitHub Actions pinned to floating tags are supply chain targets / Cache poisoning crosses the fork trust boundary / OIDC tokens pivot directly to AWS GCP Azure / Your CI pipeline has write access to production / Clinejection — Feb 2026 — AI reviewer hijack
The Problem

Your Pipeline Is the Attack Surface

Modern CI/CD pipelines have write access to production. They hold your cloud credentials, your secrets, your deployment keys. A single misconfigured workflow — one unverified fork PR, one unpinned Action — is a full production compromise. PIPELINE maps every attack surface and exploits it.

pull_request_target Runs With Write Permissions

The most dangerous GitHub Actions misconfiguration. Workflows using pull_request_target run in the base branch context — with GITHUB_TOKEN write permissions — even for fork PRs. Combined with PR head checkout: full repository write access from an external contributor.

AI Code Review Bots Are Prompt-Injectable

Clinejection (Feb 2026): a novel attack class targeting Cline, GitHub Copilot Review, CodeRabbit. PR titles, descriptions, and commit messages hijack AI reviewer behaviour. The reviewer approves what the payload tells it to approve.

Cache Poisoning Crosses Fork Trust Boundaries

When pull_request_target workflows cache dependencies, fork PRs can poison shared build caches consumed by privileged CI runs. A fork PR that poisons the cache contaminates every subsequent build in the repository.

Actions Pinned to Floating Tags Are Supply Chain Targets

uses: actions/checkout@v3 pins nothing. Tag v3 can be moved to any commit. Typosquatted Actions detected via SequenceMatcher similarity analysis sit in the marketplace waiting. One compromised Action in your workflow is a full CI compromise.

OIDC Tokens Pivot Directly to Cloud Production

Workflows with id-token: write can generate short-lived OIDC tokens for AWS, GCP, or Azure authentication. A compromised workflow with OIDC access is a direct path to production infrastructure — no long-lived credential needed.

Secrets Are Exposed to Fork PR Context

Hardcoded AWS keys, GitHub PATs, GitLab tokens, private keys, Slack tokens — all scanned. Secrets exposed to fork PR workflows via environment variables, artifact uploads, or debug logging are exfiltrable with no code execution required.

8 Subsystems

The PIPELINE Armoury

Eight subsystems. Each one attacks a distinct CI/CD surface — from workflow misconfiguration enumeration to AI bot prompt injection to OIDC cloud pivot. Three clearance levels: STANDARD (always available), FORGE (UNLEASHED key required), and --confirm-destroy (explicit destructive confirmation required).

# Subsystem Clearance What It Does
01 SCAN STANDARD Pipeline enumeration. Detects pull_request_target privilege escalation, self-hosted runner exposure, over-permissioned GITHUB_TOKEN, workflow_dispatch misconfigurations, secret scope leakage.
02 SECRETS_HUNT FORGE Credential discovery. Scans for AWS keys, GitHub PATs, GitLab tokens, private keys, Slack tokens. Flags secrets exposed to fork PRs and credential files in artifact uploads.
03 ACTION_POISON FORGE GitHub Action supply chain analysis. Detects unpinned Actions using floating tags (@v3, @main). Identifies typosquatted Actions via SequenceMatcher similarity analysis.
04 INJECT FORGE Clinejection-class AI bot prompt injection. 7 payloads across PR titles, descriptions, commit messages, issue bodies to redirect AI reviewer behaviour. Targets Cline, Copilot Review, CodeRabbit.
05 CACHE_POISON FORGE Cache poisoning attack surface analysis. Targets pull_request_target + cache combinations. Detects insecure cache keys using mutable references (github.head_ref).
06 PIVOT FORGE Cloud lateral movement from CI/CD. Detects OIDC token paths to AWS, GCP, Azure. Maps Kubernetes access via kubectl. Generates exploitation walkthroughs per provider.
07 PERSIST --confirm-destroy CI/CD persistence via Actions backdoor, webhook injection, protected branch bypass, and deployment environment manipulation.
08 REPORT STANDARD WARLORD-compatible JSON. MITRE ATT&CK mapping (T1195, T1059, T1552). CVE references. Per-finding CVSS, remediation guidance.
Full Scan Mode

One Pipeline. Every Attack Surface.

Enumerate, inject, pivot — one command against any GitHub Actions repository:

$ pipeline scan --target github.com/org/repo
[SCAN] pull_request_target: VULNERABLE (write perms + head checkout)
[SCAN] GITHUB_TOKEN scope: write — exposed to fork PRs
[SECRETS_HUNT] AWS_ACCESS_KEY_ID found in workflow env
[ACTION_POISON] actions/checkout@v3 — floating tag, supply chain risk
[INJECT] Clinejection payload: PR description → AI reviewer hijacked
[CACHE_POISON] Cache key github.head_ref — fork poisoning possible
[PIVOT] OIDC id-token: write → AWS pivot path confirmed
SCAN COMPLETE | 7 findings | Report signed ✓
8
Attack Subsystems
77
Tests Passing
25
ARMORY Payloads
3
Clearance Levels
0
Failures
Standards Coverage

Every Finding Mapped

MITRE ATT&CK

MITRE ATT&CK

  • T1195 Supply Chain Compromise
  • T1059 Command Execution
  • T1552 Secret Access
  • T1566.001 Spearphishing
  • T1195.001 Software Dependencies
  • T1036 Masquerading
  • T1078 Valid Accounts
  • T1548 Privilege Escalation
Cryptographic

Report Integrity

  • Ed25519 digital signatures
  • SHA-256 evidence chains
  • RFC 3161 timestamps
  • Tamper-evident by design
  • AI Shield integration
AI Attack

AI Attack Coverage

  • ATLAS AML.T0051 LLM Prompt Injection (Clinejection)
  • OWASP LLM01 Prompt Injection
  • CVE coverage for OIDC token abuse
The Ecosystem

NIGHTFALL Tool 62 — Supply Chain Layer

PIPELINE slots into the NIGHTFALL offensive framework as the dedicated CI/CD and supply chain attack engine. Findings feed directly into WARLORD for campaign management and AI Shield for runtime blocking rules.

Foundation — LLM Testing
FORGE
Test the LLM before you build
Agent Testing
ARSENAL
Test the AI agent
Infrastructure
ARCHITECT
Attack AI infrastructure
Persistence
LAZARUS
Memory persistence attacks
Rogue MCP
ROGUE
Malicious MCP server engine
Tool 62 — CI/CD
PIPELINE
Supply chain, code injection, cloud pivot
Behavioural
INSTINCTION
Profile the instinct
Drone AI
SPECTER DRONE
Drone AI attack engine
Campaign Control
WARLORD
Autonomous campaign engine
Defence
AI Shield
Defend everything above it
SIEM Integration
redspecter-siem
Findings feed into Splunk, Sentinel, QRadar
Available On

Security Distros & Package Managers

Kali Linux
.deb package
Parrot OS
.deb package
BlackArch
PKGBUILD
REMnux
.deb package
Tsurugi
.deb package
PyPI
pip install
macOS
pip install
Windows
pip install
Docker
docker pull

Authorised Use Only

Red Specter PIPELINE is intended for authorised security testing only. Unauthorised use against CI/CD pipelines, repositories, or cloud infrastructure you do not own or have explicit written permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. The PERSIST subsystem requires explicit --confirm-destroy confirmation and must only be used under the terms of a signed authorisation agreement. Apache License 2.0.

Ed25519 Cryptographic Override
PIPELINE UNLEASHED

Cryptographic override unlocks FORGE-clearance subsystems: SECRETS_HUNT, ACTION_POISON, INJECT, CACHE_POISON, PIVOT. Private key controlled. One operator. Founder's machine only.