Real-world stories of how we’ve compromised CI/CD pipelines

This page summarizes the projects mentioned and recommended in the original post on

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • SaaSHub - Software Alternatives and Reviews
  • sysbox

    An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.

    We’ve been using Sysbox ( for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.

  • distrobuilder

    System container image builder for LXC and LXD

    > They claim that "standard containers" cannot run a full OS. ... this works just fine with rootless podman and, more recently, rootless docker.

    > Anyone who wants unprivileged system containers might want to look into rootless docker or podman rather than this.

    Perhaps I'm missing something, but I have been running full OS userlands using "standard containers" in production for years, via LXD[1].


  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • platform-compat

    Roslyn analyzer that finds usages of APIs that will throw PlatformNotSupportedException on certain platforms.

    Except afaict SecureString doesn't reliably do that and shouldn't be used.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts