Skip to main content

Introduction

What is Cimon

Cimon (pronounced "Simon") is a comprehensive CI/CD security platform that protects your build pipelines from software supply-chain attacks. Using eBPF technology, Cimon monitors and controls process execution, network connections, and file access at the kernel level: detecting and stopping attacks as they happen, not after the damage is done.

Cimon provides three core capabilities:

  • Runtime Security. Real-time detection and prevention of supply-chain attacks during builds, with build hardening rules that block known attack patterns.
  • SLSA Attestation. Generate signed SLSA provenance attestations for your build artifacts, establishing a verifiable chain of trust.
  • SBOM Generation. Build-time software bill of materials using runtime observation, capturing actual dependencies used during compilation rather than relying on static manifest parsing.

The Threat Landscape

CI/CD pipelines are the primary target for modern supply-chain attacks. Attackers compromise build environments to steal credentials, tamper with artifacts, and inject malicious code into production releases.

Recent Supply-Chain Attacks Mitigated by Cimon
  • trivy-action / TeamPCP (Mar 2026). Compromised GitHub Actions used to dump secrets and read process memory from CI runners.
  • LiteLLM (Mar 2026). Malicious PyPI package installed a reverse shell backdoor and exfiltrated crypto wallet credentials during pip install.
  • Telnyx / TeamPCP (Mar 2026). Python stdin execution used to run piped payloads and connect to raw C2 IP addresses.
  • tj-actions/changed-files (Mar 2025). Compromised GitHub Action exfiltrated CI secrets via base64-encoded HTTP requests. Over 23,000 repositories affected.
  • reviewdog/action-setup (Mar 2025). Attacker read process memory (/proc/PID/mem) to extract secrets from GitHub Actions runners.
  • Ultralytics (Dec 2024). Malicious code injected via GITHUB_ENV manipulation, hijacking workflow environment variables.
  • CodeCov (Apr 2021) and SolarWinds (2020). Landmark attacks that compromised build pipelines to inject malicious code into software updates distributed to thousands of organizations.

Whether it is TypoSquatting, Dependency Confusion, RepoJacking, or Dependency Poisoning, these attacks all attempt the same actions:

  • Exfiltrate sensitive data (secrets, tokens, credentials) from the build server
  • Tamper with build artifacts, source code, or environment variables
  • Persist by installing backdoors or modifying package manager configurations

Cimon prevents attackers from performing these actions regardless of how they entered the build environment.

How Cimon Works

Cimon operates in two phases:

  1. Detect mode. Learn your pipeline's normal behavior by monitoring process execution, network connections, and file access. Cimon generates a security profile and reports any suspicious activity without blocking it.
  2. Prevent mode. Enforce the learned security policy. Any deviation (unauthorized network connections, credential file reads, suspicious process execution) is blocked in real time.

In addition, Cimon's build hardening engine applies pre-built detection rules for known attack patterns: no learning phase required. Hardening rules detect credential theft, reverse shells, environment variable injection, and other techniques used in real-world attacks.

Why Cimon

Our philosophy is maximum protection with minimal friction. Cimon can deliver production-grade pipeline security in minutes:

  • Install-and-forget. Add a single step to your CI workflow. Hardening rules protect against known attacks immediately.
  • Deep inspection. Security engineers get full process trees, network connection logs, and file access reports to investigate incidents.
  • Compliance-ready. Generate SLSA provenance attestations and build-time SBOMs to meet supply-chain security requirements.

Get started in five minutes, or explore the Configuration Reference for advanced settings.

Cimon With Cycode

Cycode enhances the capabilities of Cimon and allows the following:

  • Browse all reports to gain visibility across the organization.
  • Establishing workflows for incident response and remediation when violations occur.
  • Easier configuration creation through company-wide allow-lists.
  • Build policy can be managed remotely within the platform.
  • Incorporating the latest compliance frameworks, such as SLSA and SSDF, into Cimon's capabilities.
  • And more.

If you are interested, please contact us via book a demo.