CI/CD pipelines produce build artifacts — container images, packages, binaries — that deploy directly to production. If artifacts are tampered with or contain vulnerabilities, the compromise reaches production automatically. Testing covers: are container images scanned for known vulnerabilities? Are artifacts signed and signatures verified at deployment? Can unauthorized artifacts be injected into the pipeline? Are base images from trusted sources? And does the artifact registry enforce access controls?
Technical
Security Testing for CI/CD Build Artifacts: Container Images, Packages, and Binaries — 中国企业指南
Build artifacts ship to production. Testing whether artifacts are scanned, signed, and verified before deployment. Guidance for ZH market.