A CI/CD runner is the worker machine or container that executes automated build, test, and deployment jobs in a software pipeline. It often receives credentials at runtime, such as source-control tokens, package-publishing keys, cloud API keys, or signing secrets, so it can compile code, fetch dependencies, and deploy releases.
This makes runners a high-value target. If malicious code runs during a build job, it may steal secrets from environment variables, files, or mounted credentials, then use them to publish malware, alter artifacts, or access adjacent systems. In supply-chain attacks, an attacker may hide hostile logic in a dependency, a build script, or a compromised workflow so the runner executes it automatically. Defenses include isolating runners, using short-lived scoped secrets, limiting network access, disabling untrusted scripts where possible, and ensuring secrets are rotated quickly if a job is suspect.