What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to uncover and quantify security threats in continuous integration and continuous deployment (CI/CD) pipelines. Specifically, the paper identifies security vulnerabilities in CI/CD pipelines and their impacts through large - scale measurement and systematic analysis. The following are the key problems that the paper attempts to solve: 1. **Security issues of CI/CD pipelines**: - Current CI/CD pipelines have malicious code and serious vulnerabilities, but their attack surfaces and corresponding impacts are not fully understood. - The paper hopes to reveal the attack surfaces of CI/CD pipelines and quantify the security impacts of these attack surfaces through large - scale measurement and systematic analysis. 2. **Ease of access and triggering of CI/CD pipelines**: - Most open - source software uses Internet - hosting platforms (such as GitHub) to host source code, and their CI/CD pipelines are also open to the public and easy to be triggered. - This openness and ease of triggering make CI/CD pipelines the top target for attackers. 3. **Widespread impact of CI/CD pipelines**: - Open - source software relies on CI/CD pipelines for automated maintenance and delivery, so security issues in CI/CD pipelines may affect the entire software supply chain. - The paper hopes to reduce the potential risks to the software supply chain by studying the security of CI/CD pipelines. 4. **Deficiencies in existing research**: - Compared with source code security research, there is less and incomplete research on CI/CD script security. - The paper fills this gap through systematic and quantitative analysis. ### Main contributions - **Large - scale measurement**: Conducted large - scale measurement on more than 320,000 GitHub repositories configured with CI/CD, revealing new findings in aspects such as script runtime, use of sensitive operations, script use, and update lag. - **New analysis tool**: Developed a tool named CI - Analyser for parsing CI/CD scripts/pipelines and extracting key security information. - **Attack surfaces and actual attacks**: Analyzed the attack surfaces of CI/CD scripts from multiple aspects such as input, pipeline runtime, and output, and designed five attacks against real - world CI/CD environments to evaluate the actual feasibility and impact of these attack surfaces. - **Mitigation suggestions**: Based on the measurement results and attack surface analysis, proposed multi - level mitigation suggestions, including security measures for CI/CD configuration, CI/CD scripts, and CI/CD infrastructure. Through these efforts, the paper provides an important theoretical and practical basis for understanding and enhancing the security of CI/CD pipelines.