Detection of potentially malicious activity in CI/CD pipelines based on analysis of runner behavior

The article addresses the problem of detecting potentially malicious activity in CI/CD pipelines during the build process through the analysis of runner behavior. The limitations of existing pipeline security tools related to threat detection during build execution are identified, as well as promising approaches to detecting malicious activity. A way for detecting potentially malicious activity in pipelines using the eBPF technology for collecting and analyzing runner behavior has been proposed. The accuracy of the detection is evaluated using a dataset that contains implementations of malicious scenarios related to build process compromise. The results obtained can be used to implement protection tools for CI systems and contribute to research in CI/CD pipelines security.