CI/CD Automation

X-Forwarded-User

Zero-Day Shield

SSO + Zero-Day Protection for Drone CI

by Harness (Drone)

Add SAML/OIDC SSO to Drone CI — Secure Your Build Pipelines with Zero Trust Access

Overview

Why Drone CI Needs an Authenticated Proxy

Drone CI is a container-native continuous integration platform that automates build, test, and deployment pipelines using Docker containers. Self-hosted Drone instances contain pipeline configurations, build secrets, deployment credentials, and artifact repositories. A compromised Drone instance gives attackers access to your entire software supply chain. OnePAM eliminates this risk by placing an identity-aware proxy in front of Drone. Users authenticate via your corporate IdP, and only verified developers and DevOps engineers can trigger builds, view logs, or manage secrets.

HTTP Header Authentication

X-Forwarded-User

Drone CI supports reverse proxy authentication where the authenticated user identity is passed via HTTP headers. OnePAM injects the verified identity after SSO authentication.

Zero-Day Risk Profile

Drone CI Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Drone CI pipelines execute arbitrary code in containers with potential host access

Build secrets and deployment credentials stored in Drone can be exfiltrated

Pipeline configurations can be modified to inject malicious code into builds

Container escape vulnerabilities in Drone runners can compromise the host

The Challenge

Security Challenges with Drone CI

These are the risks organizations face when Drone CI is not behind an authenticated proxy.

Supply Chain Risk

Drone CI controls your build and deployment pipeline. A compromised instance means attackers can inject code into every release.

Secret Exposure

Build secrets, API keys, and deployment credentials stored in Drone are accessible to anyone with dashboard access.

Pipeline Tampering

Unauthorized users could modify .drone.yml configurations to introduce backdoors or exfiltrate data during builds.

Limited Auth Options

Drone's built-in authentication relies on OAuth with Git providers. It lacks SAML/OIDC enterprise SSO support.

Container Risks

Drone executes pipelines in Docker containers. Misconfigured runners can expose the host system.

No Session Auditing

Drone provides minimal audit logging for web sessions. Tracking who triggered which build is difficult.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Drone CI

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Drone CI.

Deploy OnePAM in Front of Drone

Place OnePAM as the entry point for the Drone CI web interface.

Drone is configured to listen only on localhost. OnePAM becomes the sole entry point, authenticating every request.

Connect Your Identity Provider

Configure OnePAM with your SAML 2.0 or OIDC provider.

Users authenticate through your corporate IdP with MFA before accessing any Drone functionality.

Enable Proxy Authentication

OnePAM injects the verified user identity into HTTP headers for Drone.

Drone trusts the identity from OnePAM's headers, creating seamless SSO without separate Drone accounts.

Define Pipeline Access Policies

Control who can trigger builds, view secrets, and manage pipeline configurations.

OnePAM policies restrict Drone access by IdP group, IP range, and time window. Developers can trigger builds; only SREs can view secrets.

Audit All CI/CD Activity

Every Drone interaction is logged with corporate identity context.

Full audit trail of who triggered builds, viewed logs, or modified secrets — essential for supply chain security.

Business Impact

Benefits of Securing Drone CI with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Drone CI.

Protect Build Pipelines

Only authenticated developers can trigger builds or view pipeline configurations. Zero unauthorized access.

100% authenticated builds

Shield Build Secrets

Deployment credentials and API keys in Drone are inaccessible to unauthenticated users.

Zero secret exposure

Enterprise SSO for CI/CD

Replace Drone's Git-only OAuth with full SAML/OIDC SSO from your corporate IdP.

Corporate SSO for builds

Supply Chain Security

Prevent unauthorized pipeline modifications that could inject malicious code into your releases.

Tamper-proof pipelines

Instant Developer Offboarding

Disable a developer in your IdP and CI/CD access stops immediately. No orphan Drone accounts.

Real-time revocation

Complete Build Audit Trail

Every build trigger, secret access, and configuration change is logged with corporate identity.

Full CI/CD audit trail

SSO Features

Drone CI SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Drone CI.

SAML 2.0 & OIDC SSO for Drone CI via proxy auth

Build trigger access control by IdP group

Secret visibility policies per team

Pipeline configuration change auditing

Session recording for compliance

IP and geo-restriction for CI/CD access

Device trust verification

Time-based access windows for production deployments

Multi-instance Drone CI SSO support

API access control for Drone automation

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Drone CI from exploitation.

Drone CI isolated from direct network access

Request-level authentication on every HTTP call

TLS encryption between OnePAM and Drone

Build secret access auditing

Header injection prevention

Automatic session invalidation on IdP sign-out

Real-World Scenarios

Drone CI SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Drone CI.

Development teams accessing CI/CD pipelines with corporate SSO and MFA

Restricting production deployment triggers to senior engineers with step-up authentication

Auditing build secret access for SOC 2 compliance

Securing Drone CI in restricted or regulated environments

Preventing unauthorized pipeline modifications in multi-team organizations

Providing read-only build log access to QA teams with session recording

Frequently Asked Questions

Drone CI SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Drone CI.

Does OnePAM work with Drone CI's Docker runner?

Yes. OnePAM secures the Drone CI web interface and API. Docker runners continue executing pipelines normally behind OnePAM's authenticated proxy.

Can we still use Drone CLI with OnePAM?

Yes. OnePAM can be configured to allow API token authentication for the Drone CLI while requiring SSO for web dashboard access.

Does OnePAM support Drone's multi-machine setup?

Yes. OnePAM proxies to the Drone server. Runners communicate directly with the Drone server on the internal network.

How does OnePAM handle Drone webhooks from Git providers?

Webhooks from Git providers can be routed to bypass SSO authentication while all human-initiated requests require identity verification.

Can different teams have different Drone access levels?

Yes. OnePAM policies can restrict access by repository, pipeline, or Drone administrative function based on IdP groups.

Ready to Secure Drone CI with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Drone CI code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps