How to Secure CI/CD Pipelines with Twingate
Many of our customers need Zero Trust control support for automated processes such as CI/CD pipelines or other unattended tasks.
Those processes often deal with complex dependencies across systems and often require authorization to privileged resources, which can be both difficult to secure and complex to manage, particularly since rules typically depend on static configurations of network routes and firewalls.
This need for access has been traditionally handled by either deploying automated processes or applications directly into the privileged network, or by using a legacy VPN connection to achieve the same end goal.
Both of these approaches have potential security shortcomings that can be mitigated by complex and brittle rules, which compounds the overhead of maintenance over time (not to mention the need to authorize third party SaaS applications in some cases which adds both complexity and potential vulnerabilities).
CI/CD with twingate
Twingate provides Service Accounts in order to address these issues:
Apply consistent controls across end users and services, all in one place.
Service accounts are a first-class citizen in Twingate’s existing Zero Trust architecture, so you can easily assign access to existing resources—or define new ones—in your Twingate admin console, giving you a single view of access across your network and organization.
Easily integrate with existing processes.
Twingate’s Linux and Windows clients now support “headless” modes, allowing you to connect using service account credentials in a single command line. This allows easy deployment in either proprietary or third party applications such as Github Actions.
Instantly modify access rules as needs change.
There is no longer any need to modify firewall rules or re-configure IP allow list configurations. Authorization rules can be modified and keys can be rotated and revoked, ensuring that access remains current without needing to deploy potentially disruptive network changes.
To make it easy to get started, we’ve provided example configuration profiles for both CircleCI and Github Actions.
If you are using either a different CI/CD pipeline or custom automation, these examples can be used as templates to automate starting up Twingate in headless mode and providing programmatic access to protected resources in any scenario.
Service accounts are available for any Enterprise plan customer, and the latest Linux and Windows clients both support service account headless modes.
Last updated 2 months ago