Supply Chain Attack Surface in CI/CD Pipelines: Risks and Defences

Software supply chain attacks have escalated with the proliferation of open-source dependencies and automated deployment tools. This paper investigates vulnerabilities in Continuous Integration/Continuous Deployment (CI/CD) pipelines and proposes practical defense mechanisms to secure the build and release lifecycle. Using Jenkins and GitHub Actions as case studies, we assess risks such as credential leakage, dependency poisoning, artifact tampering, and container trust violations. A scan of 1,500 public CI/CD configurations reveals that 62% lack integrity checks or secure secret handling practices. We simulate attacks where poisoned dependencies are injected via typo-squatting and malicious pull requests, demonstrating successful lateral movement into protected networks. To mitigate these threats, we propose a defence-in-depth strategy using Software Bill of Materials (SBOMs), cryptographic signature enforcement (e.g., Sigstore), container image attestation, and policy-as-code frameworks like OPA and Conftest. A prototype pipeline is built using Tekton and secured with admission controllers and signed commits. Our testing shows a 93% detection rate of tampered components and full traceability of build artifacts. We also evaluate organizational readiness, highlighting the need for developer security awareness and tighter access control. This paper presents a practical framework for securing CI/CD pipelines against modern software supply chain threats, aligning with SLSA and NIST SSDF guidelines.