CI/CD & Cloud Security

Harden your pipeline.
Ship with confidence.

Eliminate long-lived credentials, lock down GitHub Actions, and baseline your AWS security — in 2–4 weeks. Delivered as Terraform and code.

Let's talk

// the problem

Your CI/CD pipeline is one leaked secret away from an incident

Long-lived AWS access keys stored as GitHub secrets are a ticking clock. They get committed, rotated "eventually," and forgotten in workflows nobody's touched in months.

# ❌ the old way — still everywhere AWS_ACCESS_KEY_ID = "AKIA..." # stored in GitHub secrets AWS_SECRET_ACCESS_KEY = "wJalr..." # long-lived, hard to rotate # ✅ the new way — OIDC permissions: id-token: write # GitHub proves its identity steps: - uses: aws-actions/configure-aws-credentials with: role-to-assume: arn:aws:iam::ACCOUNT:role/deploy aws-region: us-east-1 # short-lived token. nothing to leak.

// what we do

Four pillars. One sprint.

End-to-end hardening across your GitHub org, CI/CD workflows, and AWS baseline — all shipped as code you own.

🔐

CI/CD Credential Hardening

Migrate GitHub Actions to AWS OIDC. Eliminate long-lived keys. Least-privilege IAM roles per workflow.

🛡️

GitHub Org & Repo Security

Branch protections, CODEOWNERS, token governance, secret scanning, and access cleanup across your org.

☁️

AWS Security Baseline

IAM tightening, CloudTrail, GuardDuty, S3 encryption defaults — all defined in Terraform you can version.

📣

Detection & Alerting

Slack alerts on critical auth and deploy events. Executable runbooks. A monthly 20-minute ops checklist.

// how it works

Three steps. No surprises.

01

Audit

We map your GitHub org, workflows, IAM policies, and secrets. Find the gaps before they find you.

02

Harden

Ship fixes as Terraform modules and PRs. OIDC migration, lockdowns, baselines — all reviewable, all in your repo.

03

Hand off

You own everything. Full handover package: access review, runbooks, rotation playbook, and a before/after risk snapshot.

// packages

Pick your scope

Fixed-scope engagements with clear deliverables. No hourly billing surprises.

Repo Security Baseline

$3k–$7k
~1 week
  • GitHub org & repo audit
  • Branch protections & CODEOWNERS
  • Secret scanning & push protection
  • Token & access cleanup
  • Before/after risk snapshot

Repo + CI/CD Hardening

$7k–$15k
~2 weeks
  • Everything in Repo Baseline
  • GitHub Actions → AWS OIDC migration
  • Workflow permissions & SHA pinning
  • Protected environments & approvals
  • Terraform modules + handover docs

Full Sprint

$12k–$25k
3–4 weeks
  • Everything in Repo + CI/CD
  • AWS security baseline (IAM, trails, guardrails)
  • Slack alerting & incident runbooks
  • Monthly ops checklist
  • Full handover package

// get started

Ready to harden your stack?

Let's talk

Tell me about your setup — GitHub org size, whether you're deploying to AWS from Actions, how many workflows touch production. I'll scope it out and get back to you within 24 hours.

evan@zerocreds.io