Wiz
Blog

The Overlooked Attack Surface: Securing Code Repositories, Pipelines, and Developer Infrastructure

Learn how Wiz for ASPM extends security to developer infrastructure by continuously enforcing secure defaults and detecting threats across the software supply chain.

Karin Magriso, Ziad Ghalleb
5 minute read

The Blind Spot in Application Security

Code scanning, dependency analysis, and runtime application protection have long dominated the AppSec conversation. But in the last few years, attackers have exposed a deeper weakness—the tools and processes that build and deliver software itself. So much so that Forrester’s 2024 State of Application Security Report ranks software supply chain breaches as the #1 external attack vector—surpassing traditional software vulnerability exploits.

Compromised repositories, build pipelines, and malicious dependencies are now standard tactics in the attacker playbook. Each incident reinforces the same lesson: if attackers can poison the pipeline, they don’t need to wait for a zero-day vulnerability in the operating system or application layers.

This post explores why securing developer infrastructure is a core pillar of modern Application Security Posture Management (ASPM). Instead of merely shifting security left, Wiz Code integrates security posture management, threat detection, and risk prioritization across the entire software supply chain.

Securing Developer Infrastructure One Component at a Time

Organizations have spent years improving the security posture of their cloud environments—monitoring workloads, storage, and networking for misconfigurations. But developer environments—version control systems, CI/CD pipelines, and artifact registries—are now either cloud-hosted or deeply cloud-connected, continuously delivering software and artifacts to this environment. These systems demand the same level of security oversight to prevent misconfigurations, supply chain risks, and unauthorized access.

Wiz Code expands the scope of ASPM beyond orchestrating code scanners and correlating or prioritizing their findings. It integrates core Cloud Security Posture Management (CSPM) and Cloud Detection and Response (CDR) principles into developer environments. By continuously assessing repository configurations, branch protections, pipeline security settings, and registries, Wiz delivers a unified approach to manage risk across the entire software factory proactively.

Identities: The First (and Weakest) Link

Developer accounts hold the keys to the kingdom—access to source code, pipelines, registries, and sometimes even production systems. Yet, organizations often struggle to track who has access to what.

Wiz Code continuously maps developer identities across version control systems, identity providers, and cloud accounts, ensuring security teams know who has access, where they have it, and whether they should.

Reviewing developer accounts in the identities inventory

The Wiz Security Graph consolidates this identity data into a single, queryable model, making it easy to spot risky access patterns such as:

  • External collaborators with write access to private repositories.

  • Inactive users still retaining admin privileges in a codebase.

  • Non-member users with privileged repository access despite not belonging to any VCS organization.

Beyond human identities, Wiz also detects overprivileged service accounts—especially those provisioned by third-party GitHub Apps (e.g., CI/CD extensions, security scanners, and automation tools).

Detecting inactive GitHub Apps and their permissions

This ensures security teams understand every entity—human or machine—that can modify their codebase.

Version Control and CI/CD Systems: Where Code Becomes Software

Version control systems and CI/CD pipelines are the beating heart of the software factory. They don’t just store code—they define how it moves through development, how changes are tested, and how they reach production.

Attackers know this, so they increasingly exploit weak repository configurations and insecure CI/CD workflows to manipulate source code, exfiltrate secrets, or introduce malicious dependencies. One example is the Ultralytics PyPI attack (2024), where attackers compromised a maintainer’s repository and injected a backdoored package update into a widely used open-source library. The malware silently executed on end-user machines, stealing credentials and accessing cloud services before detection. 

By ingesting repository metadata and settings, Wiz Code continuously applies prebuilt security rules to enforce access controls and prevent untrusted code from entering the pipeline. For example, this includes:

  • Requiring peer reviews before merging into protected branches to prevent unauthorized code changes.

  • Blocking force pushes to default branches to prevent the rewriting of commit history.

  • Requiring repositories to stay updated to reduce stale or outdated projects that could be hijacked.

  • Restricting self-hosted GitHub Actions and GitLab Runners to authorized repositories only.

  • Preventing workflows from auto-approving pull requests.

A repository where the default branch doesn't require checks to pass before merging

In addition, Wiz Code’s controls are mapped to a built-in framework for Code & Supply Chain Security, in addition to industry-standards, including CIS Benchmarks, OWASP TOP10 CI/CD Security Risks, and OpenSSF Source Code Management Best Practices.

Assessing compliance against OWASP's TOP10 CI/CD Risks framework

Compliance reports can be generated on demand, allowing security teams to assess policy adherence for specific product teams, business units, or development environments, ensuring audit readiness at all times.

Beyond Misconfigurations–Detecting & Responding to Active Threats

Security posture management is critical, but misconfigurations alone don’t tell the full story. Organizations need to move beyond static posture checks and actively detect threats unfolding across their software supply chain—from compromised developer accounts to malicious code injections and rogue pipeline executions.

Wiz correlates security signals across all layers, combining source code management (SCM) audit logs, CI/CD activity, and runtime events to surface risks that traditional scanning tools miss.

Detecting malicious cryptomining activity on a self-hosted CI runner

For self-hosted VCS instances or workloads running CI runners, the Wiz Sensor can be deployed to detect suspicious activity. For instance, it can flag a CI runner making outbound requests to a known crypto-mining domain, an early indicator of compromise or unauthorized access. Wiz then ties this activity back to the originating VM and the associated GitHub repository—mapping the full attack path.

At the same time, Wiz continuously ingests and analyzes audit logs from version control systems and CI/CD platforms, surfacing real-time threats such as:

  • Unauthorized repository access, like a cloning operation from a suspicious IP.

  • Security control modifications, such as deleting a repository’s branch protection ruleset.

  • Privilege escalations, like the sudden provisioning of a personal access token (PAT) with admin permissions.

Leveraging GitHub audit logs to detect suspicious activity

Misconfigurations, identity risks, and active threats don’t exist in isolation. Without a unified security model, organizations are forced to manually correlate fragmented findings across control and data planes.

The Wiz platform bridges the gap between static security posture and active threat detection by normalizing security signals across developer infrastructure, cloud environments, and runtime activity—all within the Wiz Security and Investigation Graphs. This enables real-time risk assessment, allowing security teams to focus on prioritizing and responding to threats–without needing to manually stream, store, or correlate signals across various systems and planes.

Artifact Registries: The Final Stop Before Deployment

By the time software is pulled from a container registry or package repository, it’s often assumed to be safe. However, history has shown that trusted artifacts can still be tampered with.

In December 2024, attackers compromised Kong’s DockerHub registry account and published a malicious Docker image containing a cryptominer—affecting version 3.4.0 of the Kong Ingress Controller. This incident underscores the reality that supply chain security doesn’t stop at CI/CD—organizations must also protect their artifact registries.

Wiz helps harden registries and their artifacts by detecting:

  • Repositories storing container images that contain plaintext credentials or cleartext SAS tokens–leading to lateral movement.

  • Container repositories that allow unrestricted overwrites, enabling any user to replace or modify images used to build containers with high privileges.

Additionally, Wiz integrates directly into the software delivery pipeline by enabling container image signing during the build process (via the WizCLI) and verifying signatures before deployment using the Wiz Admission Controller. This ensures that only trusted, verified container images can be deployed into Kubernetes clusters.

Get Started with Wiz Code And Secure Your Software Delivery Pipeline from the Inside Out

Instead of relying on one-off manual reviews, security teams can now leverage Wiz Code to ensure the security of and around their organization’s software delivery pipeline. By connecting repositories, CI/CD pipelines, and registries to Wiz, teams gain continuous enforcement of security best practices and real-time detection of risks across developer environments—without disrupting engineering workflows.

To learn more, explore the latest Wiz Code documentation and release notes (requires login) or request a live demo.

Tags
#Product#Wiz Code

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo