Protect CI/CD Pipelines from Attack
Make Jenkins, ArgoCD, and CI/CD Dashboards Invisible
The Problem
CI/CD pipelines are some of the most valuable and most exposed infrastructure in any organization. Jenkins, ArgoCD, GitLab CI, CircleCI self-hosted runners, Concourse — these tools often sit on the public internet with nothing but a login page protecting them. That login page tells attackers everything: what CI/CD tool you use, what version you're running, and that credentials are the only barrier. Jenkins alone has had over 400 CVEs. A compromised CI/CD pipeline gives attackers the ability to inject malicious code into your software supply chain — the most devastating class of attack. SolarWinds. Codecov. ua-parser-js. These supply chain attacks all leveraged compromised build infrastructure. Your CI/CD pipeline is the keys to your software kingdom.
The Current Approach
How teams typically protect CI/CD infrastructure: 1. **Login page + SSO**: Better than basic auth, but the endpoint is visible and the login page is attackable. 2. **IP allowlisting**: Only allow access from office IPs. Breaks for remote developers. Painful to maintain. 3. **VPN-only access**: Forces all developers through a VPN to reach CI/CD. Adds latency and friction to every deploy. 4. **Private subnet + bastion**: Keeps CI/CD off the public internet but requires a bastion host (which is itself an attack surface).
The LayerV Solution
Make your CI/CD dashboards invisible. No login page to discover, no endpoint to probe, no Jenkins version to fingerprint. Developers authenticate through Okta and receive a QURL to the CI/CD dashboard. They access it in their browser like normal. When the session ends, the dashboard returns to invisible state. Attackers, scanners, and automated exploit tools find nothing. This eliminates the entire class of CI/CD exploitation that begins with discovering the endpoint. You can't exploit a Jenkins CVE against a Jenkins instance that doesn't exist on the internet. For automated pipeline access (webhook triggers, API-driven deploys), QURLs can be created programmatically with the QURL API, scoped to specific endpoints with time-limited access.
Key Benefits
Eliminate CI/CD as a target
Can't exploit Jenkins CVEs against infrastructure that doesn't exist on the internet.
Supply chain protection
Hidden build infrastructure can't be compromised by external attackers to inject malicious code.
No developer friction
Developers authenticate via Okta SSO and access CI/CD dashboards in their browser. No VPN needed.
Automated pipeline support
QURL API enables programmatic access for webhooks and API-driven deployments.
Ideal For
- Engineering teams running self-hosted Jenkins, ArgoCD, or GitLab CI
- Organizations concerned about software supply chain attacks
- DevOps teams with internet-facing build infrastructure
- Companies with compliance requirements around build pipeline security