Skip to main content

CI/CD Pipeline Review Checklist

A review of a CI/CD pipeline covering pipeline-as-code, reproducible build-once-promote-everywhere flow, secret hygiene, scanning gates, and one-step rollback. Findings split into must-fix security/correctness items and should-improve speed items.

Estimated Time
4-8 hours
Type
security audit
Category
CI/CD
Steps
14

When to Use This Checklist

Use this checklist when adopting a new CI/CD platform, migrating between providers such as Jenkins to GitHub Actions, or auditing an existing pipeline that has grown organically. A good pipeline is the backbone of safe, fast delivery; a poor one quietly accumulates risk in the form of leaked secrets, non-reproducible builds, and weak promotion gates.

How to Use This Checklist

Review the pipeline definition alongside a recent set of pipeline runs. Reading the configuration tells you what is intended; reading the run logs tells you what actually happens. Walk each required item and capture concrete evidence: the file path of the pipeline-as-code, the stage where scanning runs, the vault integration that injects secrets. Mark performance and SBOM items as opportunities rather than blockers unless your compliance regime requires them.

Group findings into must-fix (security and correctness) and should-improve (speed and ergonomics). Speed matters because a slow pipeline trains engineers to skip it.

What Good Looks Like

In a strong pipeline the configuration lives in version control, every commit is built and tested, and the exact same artifact is promoted across environments rather than rebuilt at each stage. Secrets come from a managed store and pipeline credentials follow least privilege, scoped to only the resources they deploy. Security scanning is a first-class stage that can fail the build. Artifacts land in a managed repository with retention, and each build produces an SBOM and an immutable audit trail of who approved what.

Crucially, rolling back is just redeploying a previous artifact in one action, because the artifact is immutable and stored. Branch protection enforces required checks before merge, so the mainline stays releasable.

Common Pitfalls

The classic anti-pattern is rebuilding the artifact separately for each environment, which means what you tested is not what you ship. Hardcoded secrets in pipeline YAML are another common and serious finding, often hidden in environment blocks or scripts. Over-privileged deploy credentials turn a compromised pipeline into a full account compromise. Finally, pipelines that take too long push teams to bypass them; treat duration as a reliability metric, not a cosmetic one.

Related Resources

Ground the review in pipeline-as-code and build-once-promote-everywhere practices. Add static application security testing in CI and artifact repository management for a defensible, reproducible delivery chain.