Recent supply chain attacks like the Codecov incident definitely brought people’s attention to CI pipelines. Many customers now know they can get their source code and secrets leaked by the effortless integration with a somewhat credible software vendor.
By looking at Cycode’s product feature page, I summarize my understanding of the features provided by Cycode here, in simple language:
Integrates with your CI/CD tools and organizes the pipelines into a centralized dashboard. —some access control and audit
Compares source code in different places of your system and check for mismatches. — integrity monitoring
Scans for secrets in repos. — detect bad practice, similar to what is already provided by some open source secret scanners.
Cycode has mentioned the Codecov incident multiple times in their product pages. Cycode’s claimed product features certainly could provide additional layers of monitoring and control to CI pipelines. However, it’s still unclear to me that how their product would have protected users of a hacked supplier.