CI/CD Automation: Secure Your Pipeline with PQC
Automate encryption in your CI/CD pipeline - quantum-protect artifacts and secrets
🚀 Integrate with GitHub Actions in 10 minutes
Quick Start: GitHub Actions Integration
Estimated time: 10 minutes What you'll achieve: Encrypt build artifacts with ML-KEM in CI/CD Requirements: GitHub repository, AnkaSecure API token
Step 1/3: Add AnkaSecure secret (2 minutes)
GitHub: Settings → Secrets → New repository secret
Step 2/3: Create workflow (5 minutes)
.github/workflows/encrypt-artifacts.yml:
name: Build and Encrypt Artifacts
on: [push]
jobs:
build-encrypt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build application
run: |
mvn clean package
# Produces: target/myapp-1.0.0.jar
- name: Encrypt artifact with AnkaSecure
run: |
curl -X POST https://api.ankatech.co/encrypt \
-H "Authorization: Bearer ${{ secrets.ANKASECURE_TOKEN }}" \
-F "algorithm=ML_KEM_1024" \
-F "file=@target/myapp-1.0.0.jar" \
-o target/myapp-1.0.0.jar.enc
- name: Upload encrypted artifact
uses: actions/upload-artifact@v3
with:
name: encrypted-app
path: target/myapp-1.0.0.jar.enc
Step 3/3: Test encryption (3 minutes)
# Trigger workflow (push to GitHub)
git add .github/workflows/encrypt-artifacts.yml
git commit -m "Add AnkaSecure encryption to CI/CD"
git push
# Download encrypted artifact from GitHub Actions UI
# Or via GitHub CLI:
gh run download
✅ Result: Build artifacts quantum-encrypted automatically!
🎯 Benefit: Zero manual encryption (automated in every build)
What's next? - Jenkins integration: Jenkinsfile example - GitLab CI: GitLab CI/CD config - Sign releases: Code signing in CI/CD
Why Encrypt in CI/CD?
Problem 1: Artifact Repositories (Nexus, Artifactory)
Traditional approach (no encryption):
With AnkaSecure:
Build → Encrypt JAR → Upload encrypted to Nexus
↓
Stored as ciphertext ✅
(quantum-resistant, even if Nexus compromised)
Security: Source code/binaries protected in artifact repository
Problem 2: Pipeline Secrets (API Keys, Credentials)
Traditional approach (GitHub Secrets):
GitHub Secrets are base64-encoded ⚠️ (NOT encrypted at rest)
If GitHub compromised → All secrets exposed
With AnkaSecure (encrypted secrets):
# Encrypt secret BEFORE storing in GitHub
SECRET_ENCRYPTED=$(curl -X POST https://api.ankatech.co/encrypt \
-H "Authorization: Bearer $TOKEN" \
-d '{"algorithm":"ML_KEM_1024","plaintext":"my-api-key"}' \
| jq -r '.ciphertext')
# Store encrypted in GitHub
gh secret set MY_API_KEY --body "$SECRET_ENCRYPTED"
In workflow:
- name: Use encrypted secret
run: |
# Decrypt at runtime
SECRET=$(curl -X POST https://api.ankatech.co/decrypt \
-H "Authorization: Bearer ${{ secrets.ANKASECURE_TOKEN }}" \
-d "{\"ciphertext\":\"${{ secrets.MY_API_KEY }}\"}" \
| jq -r '.plaintext')
# Use secret
curl -H "Authorization: Bearer $SECRET" https://api.example.com
Benefit: Secrets encrypted at rest (defense-in-depth)
Problem 3: Code Signing (Software Supply Chain)
Problem: Malicious actor injects backdoor into release
Solution: Quantum-resistant code signing
# Sign release artifact with ML-DSA
curl -X POST https://api.ankatech.co/sign \
-d '{
"algorithm": "ML_DSA_87",
"document": "myapp-1.0.0.jar",
"purpose": "CODE_SIGNING"
}'
Users verify before installation:
# Verify signature (quantum-resistant verification)
curl -X POST https://api.ankatech.co/verify \
-d '{
"algorithm": "ML_DSA_87",
"document": "myapp-1.0.0.jar",
"signature": "eyJhbGc..."
}'
Security: Malicious firmware rejected (signature invalid)
CI/CD Platform Integration
Jenkins Integration
Jenkinsfile:
pipeline {
agent any
environment {
ANKASECURE_TOKEN = credentials('ankasecure-token')
}
stages {
stage('Build') {
steps {
sh 'mvn clean package'
}
}
stage('Encrypt Artifact') {
steps {
sh '''
curl -X POST https://api.ankatech.co/encrypt \
-H "Authorization: Bearer ${ANKASECURE_TOKEN}" \
-F "algorithm=ML_KEM_1024" \
-F "file=@target/myapp.jar" \
-o target/myapp.jar.enc
'''
}
}
stage('Upload to Nexus') {
steps {
nexusArtifactUploader(
artifacts: [[file: 'target/myapp.jar.enc']],
repository: 'releases'
)
}
}
}
}
Result: Every Jenkins build produces quantum-encrypted artifact
GitLab CI Integration
.gitlab-ci.yml:
stages:
- build
- encrypt
- deploy
build:
stage: build
script:
- mvn clean package
encrypt:
stage: encrypt
script:
- curl -X POST https://api.ankatech.co/encrypt
-H "Authorization: Bearer $ANKASECURE_TOKEN"
-F "algorithm=ML_KEM_1024"
-F "file=@target/myapp.jar"
-o target/myapp.jar.enc
artifacts:
paths:
- target/myapp.jar.enc
deploy:
stage: deploy
script:
- scp target/myapp.jar.enc server:/deployments/
CircleCI Integration
.circleci/config.yml:
version: 2.1
jobs:
build-and-encrypt:
docker:
- image: cimg/openjdk:17.0
steps:
- checkout
- run:
name: Build
command: mvn package
- run:
name: Encrypt with AnkaSecure
command: |
curl -X POST https://api.ankatech.co/encrypt \
-H "Authorization: Bearer $ANKASECURE_TOKEN" \
-F "file=@target/myapp.jar" \
-o target/myapp.jar.enc
- store_artifacts:
path: target/myapp.jar.enc
Code Signing Pipeline
Sign Every Release
Workflow (.github/workflows/release.yml):
name: Release Signing
on:
push:
tags:
- 'v*' # Trigger on version tags (v1.0.0, v2.0.0)
jobs:
sign-release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build release
run: mvn clean package
- name: Sign with ML-DSA (quantum-resistant!)
run: |
curl -X POST https://api.ankatech.co/sign \
-H "Authorization: Bearer ${{ secrets.ANKASECURE_TOKEN }}" \
-d '{
"algorithm": "ML_DSA_87",
"document": "target/myapp-${{ github.ref_name }}.jar",
"purpose": "CODE_SIGNING"
}' > signature.json
- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
files: |
target/myapp-*.jar
signature.json
Users verify download:
# Download release + signature
gh release download v1.0.0
# Verify signature
curl -X POST https://api.ankatech.co/verify \
-d @signature.json
Security: Malicious releases detected (signature won't verify)
Secrets Management in CI/CD
Encrypt Environment Variables
Problem: .env files in Git (bad practice, but common)
Solution: Encrypt .env file, commit ciphertext
# Encrypt .env file
curl -X POST https://api.ankatech.co/encrypt \
-F "algorithm=ML_KEM_1024" \
-F "[email protected]" \
-o .env.enc
# Commit encrypted version (safe to commit!)
git add .env.enc
git commit -m "Add encrypted environment config"
# .gitignore the plaintext .env
echo ".env" >> .gitignore
In CI/CD:
- name: Decrypt .env
run: |
curl -X POST https://api.ankatech.co/decrypt \
-H "Authorization: Bearer ${{ secrets.ANKASECURE_TOKEN }}" \
-F "[email protected]" \
-o .env
# Load into environment
export $(cat .env | xargs)
Benefit: .env.enc can be in Git (quantum-encrypted, no secrets exposure)
Performance Optimization
Cache Encryption Results
Problem: Re-encrypting same artifact every build (wasteful)
Solution: Cache based on file hash
- name: Encrypt artifact (with caching)
run: |
FILE_HASH=$(sha256sum target/myapp.jar | cut -d' ' -f1)
# Check if already encrypted
if curl -f https://cache.mycompany.com/$FILE_HASH.enc; then
echo "Using cached encrypted version"
curl -o target/myapp.jar.enc https://cache.mycompany.com/$FILE_HASH.enc
else
# Encrypt fresh
curl -X POST https://api.ankatech.co/encrypt \
-F "file=@target/myapp.jar" \
-o target/myapp.jar.enc
# Cache for future builds
curl -X PUT https://cache.mycompany.com/$FILE_HASH.enc \
--data-binary @target/myapp.jar.enc
fi
Speedup: 10× faster for cache hits (0.5s download vs 5s encrypt + upload)
What's Next?
Automate your pipeline: - 🚀 GitHub Actions quick start (10-minute integration) - 📥 Download CI/CD templates (Jenkins, GitLab, CircleCI, Azure DevOps) - 📥 Download signing workflow (code signing automation) - 📧 Request DevOps consultation (pipeline optimization)
Related automation: - IoT device provisioning - Kubernetes deployment
Have questions? Email [email protected]
Last updated: 2026-01-07 | Works with GitHub Actions, Jenkins, GitLab CI, CircleCI, Azure DevOps, TeamCity