What is it about?
Modern software is updated many times a day. New versions are built, tested and released through automated workflows in the cloud. These workflows, often called CI/CD pipelines, help teams move fast, but they also create new openings for attackers. For example, someone could try to slip malicious code into a build, change a configuration at deployment time, or edit the logs to hide what actually happened. This work looks at how blockchain can help protect those pipelines. Instead of keeping key events only in ordinary logs or databases, our framework records important steps of the delivery process on a blockchain. Each record is linked to the previous one and is protected by cryptography, which makes it extremely difficult to change the history of what happened without leaving evidence. The paper focuses on cloud environments, where many tools, services and teams have to cooperate. It maps common security risks to different stages of the pipeline, then shows where blockchain-based logging and verification can add trust. Typical examples include recording who approved a code change, capturing build and test outcomes, and anchoring deployment decisions on a tamper-evident ledger. The goal is to give organisations a clearer, more trustworthy view of how their software moved from source code to running in the cloud.
Featured Image
Photo by Steve Johnson on Unsplash
Why is it important?
In recent years, some of the most damaging cyber incidents have come from attacks on the software supply chain. CI/CD pipelines are an attractive target, because a single compromised build or deployment can silently affect thousands or millions of users. Traditional logs and access controls are helpful, but they can sometimes be altered by a skilled insider or an attacker with high privileges. This work is timely because it treats the delivery pipeline as something that must be provably trustworthy, not just efficient. The proposed framework shows how blockchain can provide cryptographically strong audit trails around builds, tests and releases in cloud environments. This can support incident response, compliance and forensics, and can guide future tools that aim to make software delivery both fast and verifiable. In the longer term, these ideas could help set expectations and standards for secure, transparent DevOps in industry.
Perspectives
For me, this paper is the starting point of a larger research journey rather than the final answer. In practice, many teams now rely on complex cloud pipelines, but when a security incident occurs, it is surprisingly hard to reconstruct a reliable story of who did what, when, and with which code. That tension between high automation and low traceability motivated this work. In this publication, my co-authors and I wanted to move beyond the slogan of "add blockchain to security" and instead give a structured view of where it can genuinely help in CI/CD. We organised the main threats, identified where trust breaks down in current pipelines, and then outlined how blockchain-backed logging could restore some of that trust. The ideas in this paper already feed into our later work on AI-assisted log analysis and tamper-evident logging for CI/CD pipelines. I see it as laying the conceptual foundations for future prototypes that bring together cloud engineering, security and decentralised ledgers in a practical way.
Sabbir M. Saleh
Western University
Read the Original
This page is a summary of: Towards a Blockchain-Based CI/CD Framework to Enhance Security in Cloud Environments, January 2025, Scitepress,
DOI: 10.5220/0013298200003928.
You can read the full text:
Contributors
The following have contributed to this page
