AI agents in the CI/CD pipeline

When an autonomous agent runs in your pipeline, two attack classes converge: Poisoned Pipeline Execution and Memory Poisoning. The result is a new, long-lived persistence layer.

~7 min read · Synthesis

Agents are the new pipeline identity

More and more pipelines delegate to autonomous agents: they build, test, deploy and fix errors — with secrets, tokens and OS access. With that they inherit the runner's full privileges.

Why memory makes the problem worse

An agent re-reads its memory and skills on every run. Once it's poisoned (see Memory Poisoning), it takes effect on every future pipeline run — a persistence no application code review finds.

The walkthrough

How a one-time access turns into lasting persistence — and where PoisonZero breaks it:

1 · Initial Access

PPE or poisoned skill

Attacker reaches the agent — via pipeline file or marketplace skill.

2 · Persistence

Memory poisoned

"Trust source X / disable check Y" lands in the agent memory.

PoisonZero

PoisonZero evaluates every write into agent memory/skills/config — on the runner too.

danger 0.97 → revert

✕ Prevented

Every run compromised

↳ Agent acts on every heartbeat with secrets
↳ Lateral movement across pipeline boundaries
↳ Invisible to app code reviews

Without protection poisoned agent memory is a permanent backdoor in the pipeline. With PoisonZero the chain ends at the memory write — fail-closed, with audit.

Defense: break the persistence

PoisonZero runs as a daemon — on runners and build hosts too — and monitors agent memory, skills and config:

• Every write is evaluated with danger level + safety.
• Dangerous ones are rolled back fail-closed; Meta-Attacks detected separately.
• Full audit trail — so a one-time attack stays one-time, instead of permanent.

Related: Poisoned Pipeline Execution and Supply-chain worms.

Read next: Poisoned Pipeline Execution · What is memory poisoning? · Supply-chain worms

All articles