--- title: CI/CD Threat Models and Web App Security on AWS: Pipelines, XSS, CSRF, and SQL Injection description: GitHub Actions OIDC role sessions are short-lived by design—teams still paste static access keys into workflow logs until scanners or audits catch the diff; supply-chain writeups keep repeating the pattern into 2026. url: https://www.factualminds.com/blog/aws-cicd-appsec-pipeline-threat-model/ datePublished: 2026-05-08T00:00:00.000Z dateModified: 2026-06-11T00:00:00.000Z author: palaniappan-p category: Security & Compliance tags: github-actions, aws-security, aws-waf, ci-cd, owasp --- # CI/CD Threat Models and Web App Security on AWS: Pipelines, XSS, CSRF, and SQL Injection > GitHub Actions OIDC role sessions are short-lived by design—teams still paste static access keys into workflow logs until scanners or audits catch the diff; supply-chain writeups keep repeating the pattern into 2026. On **May 8, 2026**, the **dominant CI/CD compromise class** is still “**credential sprawl meets YAML**.” The fix AWS partners preach—**OIDC federation from GitHub Actions to IAM** without long-lived keys—is documented end-to-end in our flagship [GitHub Actions secure CI/CD guide](/blog/github-actions-aws-cicd-security-best-practices/). **This article does not duplicate that playbook**; it gives the **threat model spine** and maps **OWASP-style** failures (XSS, CSRF, SQLi) to **AWS controls**. > **Reproduce this** — Pipeline gate worksheet: [`examples/architecture-blog-2026/cicd-appsec/pipeline-control-gates.md`](https://www.factualminds.com/examples/architecture-blog-2026/cicd-appsec/pipeline-control-gates.md) ## CI/CD threat surface (compressed) | Threat | Typical failure | AWS-aligned control | | ------------------------------ | ------------------------------------ | ------------------------------------------------------- | | Stolen build secrets | Keys in logs, world-writable buckets | OIDC roles, KMS CMKs, deny policies on public artifacts | | Malicious PR | Untrusted `pull_request_target` | Branch protections, CODEOWNERS, ephemeral runners | | Compromised third-party action | Tag drift / supply chain | SHA pinning, private mirrors | | Drift between prod/staging | Config-only “hotfix” | Same IaC modules, promotion gates | Deep procedures: follow the long-form GitHub Actions article; operational checklist lives in the worksheet above. > **Opinionated take** — If production deploy still requires an IAM user access key, file a **P0 debt** ticket—there are few excuses left after OIDC maturity. ## XSS: defense in layers Encoding output beats fancy WAF regexes. For internet-facing HTTP, pair code review with [AWS WAF production guidance](/blog/aws-waf-web-application-firewall-production-guide/) and [API abuse protections](/blog/how-to-configure-aws-waf-api-protection-beyond-basics/). **Failure mode**: admin consoles trusting **rich text** stored in RDS without sanitization—WAF cannot see server-side stored XSS rendering inside authenticated sessions. ## CSRF: follow your session model Cookie sessions need CSRF tokens / SameSite discipline. Bearer tokens in memory change risk posture but introduce other XSS blast radius problems—pick intentionally. ## SQL injection: RDS is not magical Use **parameterized queries** everywhere raw SQL appears. For ORM users: ban string-built `WHERE` clauses. Pair database hygiene with broader hardening in [10 AWS security practices](/blog/10-aws-cloud-security-best-practices-implementation-guide/) and [beyond-the-basics workload security](/blog/securing-aws-workloads-beyond-the-basics/). > **What broke** — A reporting microservice built `ORDER BY ${userColumn}` for “flexibility.” Automated scanners missed it until a tenant passed `id; DROP TABLE` scaffolding in staging. Fix: **allow-list** sort columns, separate reporting replica with read-only creds. ## Full-repository review (May 2026) PR-time SAST in [GitHub Actions security patterns](/blog/github-actions-aws-cicd-security-best-practices/) catches diff-sized issues. **[AWS Security Agent full-repository code review](/blog/aws-security-agent-full-repository-code-review/)** runs broader trust-boundary and data-flow reasoning across the whole tree — useful for systemic SQLi/XSS paths that never touch a single hot file in one PR. ## What This Post Doesn’t Cover - **Container image signing** deep dive (refer to Inspector + CI guide cross-links in the GitHub Actions article). - **IAM Permission Boundaries** math for deployment roles—covered better in [IAM best practices](/blog/aws-iam-best-practices-least-privilege-access-control/). ## If You Only Do One Thing Turn on **organization-level OIDC** patterns and delete the last **AWS_ACCESS_KEY_ID** secret used for deployment—measure blast radius reduction in quarterly access reviews. ## What to Do This Week 1. Walk the pipeline worksheet with security + platform leads; assign owners per unchecked row. 2. Run SAST + dependency scan on default branch; block promotion on criticals without risk acceptance record. 3. Spot-check top 10 dynamic SQL calls for interpolation—ORMs hide surprises. Continue architecture resilience reading at [production resilience patterns](/blog/aws-resilience-retries-circuits-graceful-shutdown/) and data coupling at [distributed data field notes](/blog/aws-data-transactions-partitioning-at-scale/). ## FAQ ### When is scanning alone insufficient for CI/CD security? When developers can bypass pipelines with local admin credentials or emergency break-glass roles lack MFA and auditing. Tooling must pair with IAM boundaries, branch protections, and periodic drills—not checkbox compliance. ### Does AWS WAF replace secure coding for XSS? No—WAF rules buy time against known payloads; stored XSS still needs output encoding, CSP headers where feasible, and framework defaults (React escaping, template engines configured correctly). WAF complements; it does not absolve. ### How do we stop CSRF for cookie-authenticated APIs? Use modern CSRF token patterns, SameSite cookies where appropriate, and avoid cross-origin credentialed requests without explicit CORS design. For SPAs using JWT in memory-only storage, CSRF risk shifts—threat model the actual browser storage story. ### When does parameterized querying still fail against SQL injection? When dynamic identifiers (table/column names) are concatenated from user input into prepared statements, or when ORMs execute raw SQL fragments built by string interpolation. Ban dynamic DDL from request parameters entirely. ### Should secrets live in GitHub Actions encrypted secrets forever? Rotate them; prefer OIDC federation to AWS IAM roles with least privilege, and reserve Secrets Manager / Parameter Store for runtime—not build-time—unless unavoidable. Long-lived GitHub secrets rot slower than people change jobs. --- *Source: https://www.factualminds.com/blog/aws-cicd-appsec-pipeline-threat-model/*