Tech Recipe Book
My Services
  • Book
    • About the author
    • Architect
      • Algorithms
        • DB index algorithms
          • How does database indexing work
        • Neural network optimization
          • Neural Network Optimization
        • Route search
          • Road network in a database to build a route
          • Traveling Salesman Problem (TSP)
      • Architecture Frameworks
        • DODAF
        • TOGAF
        • Enterprise Architecture (EA) Tools Reviews 2023 | Gartner
      • Zero Trust
      • Billing
        • SHM billing system
      • Bots
        • Discord
        • Telegram
          • Chat GPT Telegram bot
          • Получаем статистику Telegram-канала при помощи api и python или свой tgstat с регистрацией и смс
          • Как хостить телеграм-бота (и другие скрипты на Python) на Repl.it бесплатно 24/7
          • Создание Telegram бота на PHP #1: основные понятия для работы с API
          • Создание Telegram бота на PHP #2: создание первого бота для Telegram
          • Создание Telegram бота на PHP #3: примеры отправки сообщений с кнопками в Telegram
          • Создание Telegram бота на PHP #4: отправка файлов и изображений в Telegram
          • Создание Telegram бота на PHP #5: работа с хуками
      • Business intelligence
      • Cloud Storage
        • Ceph
        • Virtual Distributed File System
      • Cryptography
        • Open Source PKI Software
        • OpenPGP
          • Email Encryption
          • Kleopatra
          • Miscellaneous Tools
          • Server side applications
      • Message broker
        • Kafka
          • Kafka UI-tools
          • Kafka streams ksqlDb
        • RabbitMQ
      • DB
        • MySQL
          • Auto sharding
          • MariaDB Zabbix monitoring
          • MySQL and MariaDB replication with Zabbix monitoring
        • Postgres
          • HA PostgreSQL with Patroni, Haproxy, Keepalived
          • Mass parallel requests - Greenplum
          • PostgreSQL cluster for development and testing
        • Vitess - Scalable. Reliable. MySQL-compatible. Cloud-native. Database.
      • Identity and Access Management (IDM)
        • FreeIPA - Identity, Policy, Audit
        • FreeIPA as an Enterprise solution
        • Keycloak
          • Keycloak HA cluster
        • Open Identity Platform
        • SSO
          • Keycloak for Java app
          • OpenAM
          • OpenIG
      • Firewall
        • nftables
      • Infrastructure As a Code
        • Ansible
        • IaC Packer Ansible Teraform
        • Installing Jenkins using terraform in Kubernetes in Yandex Cloud with letsencypt
        • Teraform Crosplan Pulumi
        • Yandex IaC solutions
      • Kubernetes
        • Installation
          • Install Kubernetes cluster
          • Deploying a Kubespray cluster to OpenStack using Terraform
          • Kube deploy in Yandex cloud
        • Frameworks
          • Deckhouse
            • LDAP authentification
            • On premise Install
            • Yandex Cloud Install
          • K3S
          • OpenShift OKD
          • RKE2
          • Rancher
            • Rancher Install
        • Auth
          • Keycloak in k8s
          • LDAP
        • GUI management Lens
        • Monitoring
          • Monitoring with Falco
          • Network monitoring
          • Nginx ingress
          • Prometheus Graphana for sample Nodejs app
          • Rsource monitoring Avito
        • Exposing services
          • Exposing Kubernetes Services
          • Cilium BGP
        • CNCF
        • Helm
          • Repositories
            • Artifact Hub | official
            • Bitnami | vmware
          • Awesome helm charts and resources
          • Essential Services for Modern Organizations
          • Security and Compliance
          • Additional charts
        • Isolation
          • vcluster - Virtual Kubernetes Clusters
          • Kiosk
          • KubeArmor
          • Control Plane Hardening
          • Hierarchical namespaces
        • Security Center
          • Minesweeper
          • NeuVector by SUSE
          • SOAR in Kubernetes
          • Security Сenter for Kubernetes
        • Terraform CI security
          • Terraform plan analysis with Checkov and Bridgecrew
          • Yandex Terraform scan
        • Vulnerability management
          • Aqua
          • Sysdig
          • Kyverno
          • GitLab
          • NeuVector by SUSE
        • Image scanning
          • Snyk
          • Sysdig
          • Harbor
          • Trivy
        • Signature verification
          • Sigstore
        • Control plane security
          • Gatekeeper
            • Applying OPA Gatekeeper
          • Kyverno
            • Policy as a code. Kyverno
        • Runtime Security
          • Osquery
          • Falco
          • ClamAV
        • Network security
          • Cilium
          • Control Plane Hardening (API restriction)
          • Network policy recipes
          • Service mesh
            • Istio HA, LoadBalance, Rate limit
          • mTLS Autocert
        • Honeypot
          • Building honeypot using vcluster and Falco
        • Backup
          • Kasten K10
        • Secrets
          • Vault CSI Driver
      • Load Balance
        • Nginx
        • HAProxy
          • Proxy methods
          • HAProxy for RDP
          • Payment gateway A/B test with HAProxy
          • HAPRoxy for Percona or Galera
      • Monitoring
        • Zabbix
          • Apache Zabbix
          • Disc Quota
          • Nginx Zabbix
          • SSL certificates Zabix
          • Zabbix notifications
        • Nagios
          • Datacenter monitoring
        • Prometheus and Grafana
      • Windows
        • Sysmon enhanced Windows audit
        • Sysmon to Block Unwanted File
      • Linux
        • Rsync
        • Debian based
          • Apt-Cacher NG
          • Unattended Upgrades in Debian / Ubuntu
        • RedHat basede
          • RPM Server
        • Logs analysis
        • Build armhf qemu
      • NGFW
      • CI/CD
        • DevSecOps
          • DAST
            • Burp
              • Dastardly
            • StackHawk
            • ZAP and GitHub Actions
          • SAST
            • Checkmarx
            • OSV by Google
            • Snyk
            • SonarQube
        • GitLab Runner in Yandex Cloud
        • Dynamic Gitlab Runners in Yandex Cloud
        • GitLab runner in Kubernetes with Werf
        • Kubernetes deploy strategies
        • Kubernetes highload deploy. part 1
        • Kubernetes highload deploy. part 2
        • Kubernetes Argo Rollouts
        • Jenkins in Kubernetes
        • Ansible Semaphore
        • Image storage, scaning and signing
        • Install WireGuard with Gitlab and Terraform
        • CI/CD example fror small web app
        • Threat matrix for CI CD Pipeline
      • SIEM / SOC
        • Datadog
        • Splunk
          • Splunk — general description
        • MaxPatrol
          • MaxPatrol 8 and RedCheck Enterprise
        • QRadar IBM
        • Cloud Native Security Platform (CNAPP) - Aqua
        • OSSIM | AT&T
          • AlienVault (OSSIM) install
        • Wazuh
        • EDR
          • Cortex XDR | Palo Alto Networks
          • Cynet
          • FortiEDR | Fortinet
          • Elastic
        • Elastic
          • Install Elasticsearch, Logstash, and Kibana (Elastic Stack) on Ubuntu 22.04
          • Setting Up Elastic 8 with Kibana, Fleet, Endpoint Security, and Windows Log Collection
        • Threat Intelligence
          • MISP
          • msticpy Microsoft
          • X-Force | IBM
          • Elastic
      • VPN
        • Full-Mesh VPN fastd, tinc, VpnCloud
        • Wireguard
          • WireGuard for Internet access
          • WireGuard on MikroTik and Keenetic
          • WireGuard site to site
        • SoftEther VPN Project
        • Cisco AnyConnect client
        • OpenConnect
        • SSTP python server
      • OS hardening
        • CIS Benchmarks
      • Cloud Providers
      • OpenNebula
        • OpenNebula Edge Cloud - Open Source Cloud & Edge Computing
        • Discover OpenNebula – Open Source Cloud & Edge Computing Platform
        • OpenNebula Multi-Cloud
        • Kubernetes on OpenNebula
        • The Open Source Alternative to Nutanix
        • The Simple Alternative to OpenStack
        • OpenNebula Partner Ecosystem
      • OpenStack
        • Install manual
        • Install with DevStack
      • VM
        • Create a VHD file from a Linux disk
        • Backup / Migration
          • Coriolis
          • Proxmox Backup Server
        • oVirt
        • VMware vCenter
        • Proxmox
      • Docker
        • Container optimization
        • Ubuntu RDP container
      • LXC
        • LXD on Ubuntu 18.04
        • Install, Create and Manage LXC in Ubuntu/Debian
    • Big Data
      • OLAP data qubes
      • Storage and autoscale in Lerua
    • Machine Learning
      • Yandex YaLM 100B. GPT model
      • Kaggle Community Datasts Models
      • AI in video production
      • Image search
      • Chat bots
        • You.com
        • Chat GPT
          • Implementing GPT in NumPy
        • Jailbreak Chat
      • Coding plugins CodeWhisperer
    • Malware
      • Isiaon/Pitraix: Modern Cross-Platform Peer-to-Peer Botnet over TOR
      • theZoo A repository of LIVE malwares
    • Pentest
      • Red Team
        • MITRE ATT&CK matrix
        • C2 Frameworks
          • Brute Ratel C4
          • Cobalt Strike
          • Covenant
          • Havoc Framework
          • Merlin
          • Metasploit
          • Sillenttrinity
          • Sliver
        • Manage and report
          • Dradis Framework
          • Hexway
        • Underground
      • Social engineering
        • Social Engineer Toolkit setoolkit
      • OSINT
        • OSINT for comapny
        • Instagram fishing
      • Forensics
        • Forensics tools
      • Pentesting Methodology
      • Web
      • CI/CD Methodology
      • Cloud Methodology
        • Hacking The Cloud
      • Kubernetes Pentesting
      • Android
        • SSL Unpinning for Android applications
      • iOS
        • SSL unpinning iOS and macOS applications
      • HackBar tool
      • CyberChef Tools
      • Python virtualenv
      • IppSec - YouTube
      • Hacktricks.xyz
    • Compliance
      • 152 ФЗ. Personal data
      • PCI DSS and ГОСТ Р 57580.1-2017
      • Cloud compliance
      • ГОСТ Р 57580.1-2017 для Kubernetes
      • Kubernets as DevSecOps and NIST compliance
      • NIST SP 800-61 cyberincidece control
      • CIS Kubernetes Benchmark v1.6 - RKE2 v1.20
      • CIS Kubernetes Benchmark v1.23 - RKE2
      • Requirements for Russian Banks
      • Tools
        • Chef InSpec
        • Elastic SIEM
    • Asset management
      • CMDBuild
    • Project management
    • Incident management SRE
    • Risk management
      • IT risk management
      • BSI-Standard 200-3
    • Web Dev
      • Cookie security
      • OWASP Top 10 2021
      • Docker nginx php mysql
      • Docker tor hiddenservice nginx
      • Docker Compose wp nginx php mariadb
      • Dependency Checking
        • Nexus Analyzer
        • OWASP dependency-check
      • Yii skeeks cms
      • YiiStudio
    • Art
      • GTK Themes
      • Themes for Xfce Desktop
      • XFCE / Xubuntu Windows 95
      • Moscow events
      • Photo goods
      • Russian style gifts
    • Cryptocurrency
      • News
      • Arbitrage
      • Stocks
      • Exchange aggregators
      • Where to use
      • Prepaid cards
        • BitFree
        • Pyypl Your Money at Your Fingertips
    • IT magazines
      • WIKI and Writeups tools
        • BookStack
        • GitBook
        • MkDocs
        • Wiki.js
        • DokuWiki
    • Languages
    • Learning
      • (ISC)2
        • CISSP
      • Offensive Security
        • OSCP
        • OSEP
        • OSED
      • DevSecOps
        • Certified DevSecOps Professional (CDP)
        • Certified DevSecOps Expert (CDE)
      • Web Security Academy: PortSwigger
    • Relocation
      • London experience
      • IT visas in 2022
      • Remote work
      • Running business in UAE
    • Freenet
      • Independent online services: the philosophy of a free Internet
      • Tor Project Anonymity Online
      • I2P Anonymous Network
    • Services
      • SMS Registration
        • Registering ChatGPT in Russia
      • Local and regional eSIMs for travellers - Airalo
      • Digital busines cards
      • No KYC services and exchanges
Powered by GitBook
On this page
  • Threat matrix for CI/CD Pipeline
  • Common Threat Matrix for CI/CD Pipeline
  • Table of Contents
  • Background
  • Threat Matrix
  • Components of CI/CD
  • Techniques and Mitigation
  • Common Question

Was this helpful?

  1. Book
  2. Architect
  3. CI/CD

Threat matrix for CI CD Pipeline

Last updated 1 year ago

Was this helpful?

Threat matrix for CI/CD Pipeline

This is an ATT&CK-like matrix focus on CI/CD Pipeline specific risk.

is a knowledge base of adversary tactics and techniques.

To map the threat of CI/CD Pipeline, I use the same classification as the framework.

(Feedback is welcome)

The purpose of this matrix is to share knowledge on securing CI/CD environments with Cybersecurity community.

This matrix was created by Mercari Security Team, and reviewed by Platform Team.

threat matrix

Name
Tools

Device

- Developer Workstation: Mac/Win/Cloud-based

Git Repository Service

- GitHub, GitLab

CI

- CI/CD Services (e.g. CircleCI, Cloud Build, Codebuild, GitHub Actions)

CD

- CI/CD Services (e.g. CircleCI, Cloud Build, Codebuild, GitHub Actions) - CD Services (e.g. Spinnaker, ArgoCD)

Secret Management

- Secret Management Services (e.g. AWS Secret Manager, GCP Secret Manager, HashiCorp Vault)

Production environment

- Cloud Services (e.g AWS, Google Cloud, Microsoft Azure) - Other Resources (e.g. Container Registry, Linux Server, Kubernetes)

Techniques
Description
Mitigation

Supply Chain Compromise on CI/CD

Supply Chain Attacks to Application Library, Tools, Container Images in CI/CD Pipelines.

  1. (CI, CD) Limit egress connection via Proxy or IP Restriction

  2. (CI, CD) Audit Logging of the activities

  3. (CI, CD) Security Monitoring using IDS/IPS, and EDR

  4. (CI, CD) Check each tool’s Integrity

  5. (CI, CD) Doesn’t allow untrusted libraries, tools | | Valid Account of Git Repository (Personal Token, SSH key, Login password, Browser Cookie) | Use developer’s credentials to access to Git Repository Service \ (Personal token, SSH key, browser cookie, or login password is stolen) |

  6. (Device) Device security is out of scope

  7. (Git Repository) Network Restriction

  8. (Git Repository) Limit access permission of each developer (e.g. no write permission, limited read permission)

  9. (CI, CD) Use GitHub App and enable IP restriction | | Valid Account of CI/CD Service (Personal Token, Login password, Browser Cookie) | Use SSH key or Tokens to access to CI/CD Service Servers directly |

  10. (CI, CD) Strict access control to CI/CD pipeline servers

  11. (CI, CD) Hardening CI/CD pipeline servers | | Valid Admin account of Server hosting Git Repository | Use SSH key, Tokens to access to Server hosting Git Repository |

  12. (Git Repository) Strict access control to server hosting Git Repository

  13. (Git Repository) Hardening git repository servers |

Techniques
Description
Mitigation

Modify CI/CD Configuration

Modify CI/CD Configuration on Git Repository (CircleCI: .circleci/config.yml, CodeBuild: buildspec.yml, CloudBuild: cloudbuild.yaml, GitHub Actions: .github/workflows/*.yaml)

  1. (Git Repository) Only allow pushing of signed commits

  2. (CI, CD) Disallow CI/CD config modification without review (CI/CD must not follow changes of a branch without review)

  3. (CI, CD) Add signature to CI/CD config and verify it

  4. (CI, CD) Limit egress connections via Proxy and IP restrictions

  5. (CI, CD) Audit Logging of activities

  6. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | Inject code to IaC configuration | For example, Terraform allows code execution and file inclusion. The code is executed during CI(plan stage) Code Execution: Provider installation(put provider binary with .tf), Use External provider File inclusion: file Function |

  7. (Git Repository) Only allow pushing of signed commits

  8. (CI, CD) Restrict dangerous code through Policy as Code

  9. (CI, CD) Restrict untrusted providers

  10. (CI, CD) Limit egress connections via Proxy and IP restrictions

  11. (CI, CD) Audit Logging of activities

  12. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | Inject code to source code | Application executes test code during CI |

  13. (CI, CD) Restrict dangerous code through Policy as Code

  14. (CI, CD) Limit egress connections via Proxy and IP restrictions

  15. (CI, CD) Audit Logging of the activities

  16. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | Supply Chain Compromise on CI/CD | (Repeated) | | | Inject bad dependency | Inject bad dependency |

  17. (CI, CD) Code checks by SCA(Software composition analysis)

  18. (CI, CD) Restrict untrusted libraries, and tools

  19. (CI, CD) Limit egress connections via Proxy and IP restrictions

  20. (CI, CD) Audit Logging of activities

  21. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | SSH to CI/CD pipelines | Connect to CI/CD pipeline servers via SSH or Valid Token |

  22. (CI, CD) Implement strict access control to CI/CD pipeline servers

  23. (CI, CD) Disallow SSH access |

Techniques
Description
Mitigation

Modify the configuration of Production environment

Modify the configuration of Production environment via stolen credentials

  1. (Secret Manager) Rotate credentials regularly or issue temporary tokens only

  2. (Production environment) Network Restriction to Cloud API

  3. (Production environment) Enable Audit Logging

  4. (Production environment) Security Monitoring of data access

  5. (Production environment) Enforce principle of least privilege to issued credentials

  6. (Production environment) Rate limiting | | Deploy modified applications or server images to production environment | Deploy modified applications or server images (e.g. container image, function, VM image) to production environment via stolen credentials |

  7. (Secret Manager) Rotate credentials regularly or issue temporary tokens only

  8. (Git Repository) Require multi-party approval(peer review)

  9. (Production environment) Verify signature of artifacts

  10. (Production environment) Network Restriction to Cloud API

  11. (Production environment) Enable Audit Logging

  12. (Production environment) Security Monitoring of deployment

  13. (Production environment) Enforce principle of least privilege to issued credentials

  14. (Production environment) Rate limiting |

Techniques
Description
Mitigation

Compromise CI/CD Server

Compromise CI/CD Server from pipeline

  1. (CI, CD) Clean environment created on every pipeline run | | Implant CI/CD runner images | Implant container images for CI/CD with malicious code to establish persistence |

  2. Use signed/trusted CI runners only

  3. Implement strict access controls to container registry

  4. (CI, CD) Audit Logging of activities | | (Modify CI/CD Configuration) | (Repeated) | | | (Inject code to IaC configuration) | (Repeated) | | | (Inject code to source code) | (Repeated) | | | (Inject bad dependency) | (Repeated) | |

Techniques
Description
Mitigation

Get credential for Deployment(CD) on CI stage

Get high privilege credential in CI stage (not CD)

  1. (CI, CD) Limit the scope of credentials in each step.

  2. (CI) Always enforce Least Privilege. CI(not CD) must not have credentials for deployment

  3. (CI, CD) Use different Identities between CI and CD

  4. (CI, CD) Maintain strong isolation between CI and CD | | Privileged Escalation and compromise other CI/CD pipeline | Privilege Escalation from CI/CD Environment to other components |

  5. (CI, CD) Hardening of CI/CD pipeline servers

  6. (CI, CD) Isolate CI/CD pipeline from other systems. |

Techniques
Description
Mitigation

Add Approver using Admin permission

Change Approver using Git Repository Service Admin permission

  1. (Git Repository) Limit admin users

  2. (Git Repository) Require multi-party approval(peer review) | | Bypass Review | Bypass Peer Review of Git Repository |

  3. (Git Repository) Restrict repository admin from pushing to main branch without a review

  4. (CD) Require additional approval from reviewer to kick CD | | Access to Secret Manager from CI/CD kicked by different repository | Use a CI/CD system in a different repository to leverage stolen credentials to access secret manager |

  5. (Secret Manager) Restrict and separate access from different workloads | | Modify Caches of CI/CD | Implant bad code to caches of CI/CD pipeline |

  6. (CI, CD) Clean environment on every pipeline run | | Implant CI/CD runner images | (Repeated) | |

Techniques
Description
Mitigation

Dumping Env Variables in CI/CD

Dump Environment Variables in CI/CD

  1. (CI, CD) Don’t use environment variables for storing credentials

  2. (Secret Manager) Use secret manager which has network restriction

  3. (Secret Manager) Enable Audit Logging

  4. (Secret Manager) Security Monitoring to detect malicious activity

  5. (Secret Manager) Rotate credentials regularly or issue temporary tokens only

  6. (CI, CD) Enable Audit Logging

  7. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | Access to Cloud Metadata | Access to Cloud Metadata to get access token of Cloud resources |

  8. (CI, CD) Restrict metadata access from suspicious processes

  9. (Secret Manager) Use secret manager which has network restriction

  10. (Secret Manager) Enable Audit Logging

  11. (Secret Manager) Security Monitoring to detect malicious activity

  12. (Secret Manager) Rotate credentials regularly or issue temporary tokens only

  13. (CI, CD) Enable Audit Logging

  14. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | Read credentials file | Read credentials file mounted in CI/CD pipeline |

  15. (CI, CD) Disable or mask contents of files in results of CI/CD

  16. (Secret Manager) Use secret manager which has network restriction

  17. (Secret Manager) Enable Audit Logging

  18. (Secret Manager) Security Monitoring to detect malicious activity

  19. (Secret Manager) Rotate credentials regularly or issue temporary tokens only

  20. (CI, CD) Enable Audit Logging

  21. (CI, CD) Security Monitoring using IDS/IPS, and EDR | | Get credential from CI/CD Admin Console | See credential from CI/CD admin console |

  22. (CI, CD) Doesn’t use CI/CD services that expose credentials from the system console |

Techniques
Description
Mitigation

Exploitation of Remote Services

Exploit services from CI/CD Pipeline

  1. (CI, CD) Isolate CI/CD pipeline systems from other services | | (Monorepo) Get credential of different folder's context | In monorepo architecture of Git Repository, there are many approvers. Need to set access controls carefully |

  2. (Git Repository) Set approver for each folder

  3. (CI, CD, Secret Manager) Avoid sharing CI/CD environment and credentials between different folders.

  4. (CI, CD) should be isolated by environment folder or context | | Privileged Escalation and compromise other CI/CD pipeline (Repeated) | | |

Techniques
Description
Mitigation

Exfiltrate data in Production environment

Exfiltrate data in Production environment via stolen credentials

  1. (CI/CD) Doesn’t put data access credential in CI/CD

  2. (Production environment) Network Restriction to Cloud API

  3. (Production environment) Enable Audit Logging

  4. (Production environment) Security Monitoring of data access

  5. (Production environment) Enforce principle of least privilege to issued credentials

  6. (Production environment) Rate limiting | | Clone Git Repositories | Exfiltrate data from Git Repositories |

  7. (Git Repository) Network Restriction

  8. (Git Repository) Use temporary tokens instead of long life static tokens

  9. (Git Repository) Limit access permission of each developer (e.g. no write permission, limited read permission)

  10. (Git Repository) Enable Audit Logging

  11. (Git Repository) Security Monitoring of data access

  12. (Git Repository) Rate limiting |

Techniques
Description
Mitigation

Denial of Services

Denial of Services of CI/CD pipeline

  1. (CI, CD) Scalable Infrastructure |

This threat map is published in conjunction to the presentation “” at CODE BLUE 2021 Opentalks.

Supply-chain attacks are one of the most serious risks. But it is not the only risk for CI/CD Pipelines. The entire attack surface need to be considered. You can check my slide: “” to know risks of CI/CD pipeline

https://github.com/rung/threat-matrix-cicd
Common Threat Matrix for CI/CD Pipeline
MITRE ATT&CK®
Table of Contents
Background
Threat Matrix
Components of CI/CD
Techniques and Mitigation
Initial Access
Execution
Execution (Production)
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Lateral Movement
Exfiltration
Impact
Common Question
Supply-chain attacks are the only risk of CI/CD pipeline, correct?
Background
Attacking and Securing CI/CD Pipeline
Threat Matrix
Components of CI/CD
Techniques and Mitigation
Initial Access
Execution
Execution (Production)
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Lateral Movement
Exfiltration
Impact
Common Question
Supply-chain attacks are the only risk of CI/CD pipeline, correct?
Attacking and Securing CI/CD Pipeline