Software supply-chain attacks increasingly exploit the automation and trust relationships embedded in continuous integration and continuous deployment pipelines, especially where open-source dependencies, build infrastructure, and artifact repositories intersect. Traditional pipeline defences often concentrate on static scanners and point controls, which can miss adversarial behaviours that look “legitimate” at the configuration level but are anomalous in execution, such as unusual dependency resolution patterns, suspicious build step invocations, or unauthorised release triggers.
This paper proposes a layered framework that combines DevSecOps controls with AI-driven anomaly detection over pipeline telemetry. The framework integrates dependency governance and provenance mechanisms, including software bill of materials generation and cryptographic integrity controls, then adds behavioural monitoring to detect deviations in pipeline activity across source, build, artifact, and deployment stages. The proposed methodology supports both prevention and detection strategies, and is designed to be implementable in widely used CI ecosystems where build logs and metadata are readily collected at scale.
Using quantitative indicators reported by pre two thousand and twenty-two empirical studies on malicious packages and registry abuse, we demonstrate how pipeline security evaluation can be anchored to measurable threat signals and validated through reproducible metrics and attack simulations aligned to observed real world patterns.