Home / Secure Access / Woodpecker CI
CI/CD Automation
X-Forwarded-User
Zero-Day Shield

SSO + Zero-Day Protection for Woodpecker CI

by Woodpecker CI Community

Add SAML/OIDC SSO to Woodpecker CI — Secure Your Lightweight CI/CD Platform

Start Free Trial See How It Works
Overview

Why Woodpecker CI Needs an Authenticated Proxy

Woodpecker CI is a community fork of Drone CI, providing a lightweight, container-native continuous integration engine. Like Drone, Woodpecker executes pipelines in Docker containers and stores build secrets, deployment credentials, and pipeline configurations. OnePAM adds enterprise SSO to Woodpecker, ensuring only authorized developers can trigger builds, view logs, and manage CI/CD secrets.

HTTP Header Authentication
X-Forwarded-User

Woodpecker CI supports authentication via a trusted reverse proxy. OnePAM injects the verified user identity, and Woodpecker maps the session to the authenticated developer.

Zero-Day Risk Profile

Woodpecker CI Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Woodpecker pipelines execute arbitrary code in containers
Build secrets and deployment credentials can be exfiltrated via pipelines
Pipeline configurations can be modified to inject malicious code
Container escape vulnerabilities in runners can compromise hosts
The Challenge

Security Challenges with Woodpecker CI

These are the risks organizations face when Woodpecker CI is not behind an authenticated proxy.

Supply Chain Attack Surface

Woodpecker controls your build pipeline. Compromised access means attackers can inject code into every software release.

Secret Management

Build secrets, registry credentials, and deployment tokens stored in Woodpecker are accessible to pipeline authors.

Git-Only OAuth

Woodpecker's built-in auth relies on Git provider OAuth. Enterprise SAML/OIDC SSO is not natively supported.

Pipeline Modification

Unauthorized users could modify pipeline files to run malicious commands during builds.

Container Risks

Pipelines run in Docker containers. Privileged containers or volume mounts can expose the host system.

Limited Audit Logging

Tracking who triggered builds, accessed secrets, or modified configurations requires external tooling.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Woodpecker CI

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Woodpecker CI.

1

Deploy OnePAM as Woodpecker Proxy

Place OnePAM in front of the Woodpecker CI web interface.

Woodpecker accepts connections only from OnePAM. All interactive access is authenticated.
2

Configure Your Identity Provider

Connect OnePAM to your SAML/OIDC provider for corporate SSO.

Developers authenticate via your IdP with MFA before accessing CI/CD functionality.
3

Enable Proxy Authentication

OnePAM injects verified identity headers for Woodpecker.

Individual developer accountability for every build, secret access, and configuration change.
4

Define CI/CD Access Policies

Control build triggers, secret visibility, and admin functions by IdP group.

Developers trigger builds; SREs manage secrets; admins configure runners.
5

Audit Build Activity

Every CI/CD interaction logged with corporate identity.

Complete audit trail for supply chain security and compliance.
Business Impact

Benefits of Securing Woodpecker CI with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Woodpecker CI.

Enterprise SSO for CI/CD

Add SAML/OIDC SSO to Woodpecker without modifying the application.

Corporate SSO for builds

Protect Build Secrets

Deployment credentials and API keys protected behind enterprise authentication.

Zero secret exposure

Supply Chain Security

Only authorized developers can trigger builds and modify pipeline configurations.

Authenticated builds only

Individual Accountability

Every build trigger attributed to a specific developer.

Individual accountability

Instant Offboarding

Disable a developer in your IdP and CI/CD access stops immediately.

Real-time revocation

Complete Audit Trail

Build triggers, secret access, and config changes logged with identity.

Full CI/CD audit trail
SSO Features

Woodpecker CI SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Woodpecker CI.

SAML 2.0 & OIDC SSO for Woodpecker CI
Build trigger access control by IdP group
Secret visibility policies per team
Session recording for compliance
IP and geo-restriction
Device trust verification
Time-based deployment windows
Pipeline configuration auditing
Multi-organization support
API access control
Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Woodpecker CI from exploitation.

Woodpecker isolated from direct network access
End-to-end TLS encryption
Request-level authentication
Build secret access auditing
Header injection prevention
Automatic session invalidation on IdP sign-out
Real-World Scenarios

Woodpecker CI SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Woodpecker CI.

1
Development teams using Woodpecker CI with corporate SSO
2
Securing build secrets and deployment credentials
3
Auditing build triggers for supply chain compliance
4
Restricting production deployments to authorized engineers
5
Providing read-only build log access to QA teams
6
Migrating from Drone CI while maintaining SSO integration
Frequently Asked Questions

Woodpecker CI SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Woodpecker CI.

How is Woodpecker CI different from Drone CI?

Woodpecker CI is a community fork of Drone CI. OnePAM provides the same SSO and security capabilities for both platforms.

Does OnePAM work with Woodpecker's agent mode?

Yes. OnePAM secures the Woodpecker server web interface. Agents communicate directly with the server on the internal network.

Can we use Woodpecker CLI with OnePAM?

Yes. OnePAM can allow API token authentication for the CLI while requiring SSO for web access.

Does OnePAM handle Woodpecker webhooks?

Yes. Git provider webhooks can be routed to bypass SSO while human requests require authentication.

Can we migrate from Drone CI to Woodpecker with OnePAM?

Yes. OnePAM provides the same SSO integration pattern for both platforms, making migration seamless.
Also Supported

SSO + Zero-Day Protection for Other Applications

OnePAM adds authenticated proxy protection to all these applications — same approach, zero code changes.

Jenkins
CI/CD Automation · X-Forwarded-User
Grafana
Observability & Monitoring · X-WEBAUTH-USER
Kibana
Log Analytics & SIEM · X-Proxy-User / es-security-runas-user
GitLab Self-Managed
DevOps Platform · X-Forwarded-User / REMOTE_USER
SonarQube
Code Security & Quality · X-Forwarded-Login
Apache Guacamole
Clientless Remote Desktop · N/A (native protocol)
Jira Data Center
Project Management · X-Forwarded-User
Confluence Data Center
Knowledge Management · X-Forwarded-User
pgAdmin
Database Management · X-Forwarded-User / REMOTE_USER
Rundeck
Operations Automation · X-Forwarded-User / REMOTE_USER
Harbor
Container Registry · X-Forwarded-User / X-Forwarded-Groups
Zabbix
Infrastructure Monitoring · X-Forwarded-User / PHP_AUTH_USER
Nexus Repository
Artifact Management · X-Forwarded-User / REMOTE_USER
Wiki.js
Modern Wiki Platform · X-Forwarded-User / Authorization
Prometheus
Metrics & Monitoring · X-Forwarded-User (proxy-level auth)
MinIO
Object Storage · X-Forwarded-User / Authorization
Portainer
Container Management · X-Forwarded-User
Apache Airflow
Workflow Orchestration · REMOTE_USER
Apache Superset
Business Intelligence · REMOTE_USER
Gitea
Git Hosting · X-WEBAUTH-USER
Mattermost
Team Messaging · X-Forwarded-User / X-Forwarded-Email
Redmine
Project Management · REMOTE_USER
NetBox
Network DCIM / IPAM · REMOTE_USER / HTTP_REMOTE_USER
AWX / Ansible Automation Platform
IT Automation · REMOTE_USER / X-Forwarded-User
phpMyAdmin
Database Administration · REMOTE_USER / PHP_AUTH_USER
Argo CD
GitOps & Continuous Delivery · X-Forwarded-User / Argocd-User-Info
n8n
Workflow Automation · X-Forwarded-User / X-n8n-User
HashiCorp Consul
Service Mesh & Discovery · X-Forwarded-User (proxy-level auth)
HashiCorp Vault UI
Secrets Management · X-Forwarded-User (defense-in-depth)
Rancher
Kubernetes Management · X-Forwarded-User / Authorization
Backstage
Developer Portal · X-Forwarded-User / Authorization
Outline
Team Knowledge Base · X-Forwarded-User / Authorization
Uptime Kuma
Uptime Monitoring · X-Forwarded-User (proxy-level auth)
WeKan
Project Management · X-Forwarded-User / HTTP-REMOTEUSER
Traefik Dashboard
Reverse Proxy & Ingress · X-Forwarded-User (via ForwardAuth)
Drone CI
CI/CD Automation · X-Forwarded-User
Metabase
Business Intelligence · X-Forwarded-User
JupyterHub
Data Science & ML · REMOTE_USER / X-Forwarded-User
code-server (VS Code)
Cloud IDE · X-Forwarded-User
BookStack
Documentation & Wiki · REMOTE_USER
Keycloak Admin Console
Identity & Access Management · X-Forwarded-User
Proxmox VE
Virtualization & Hypervisor · X-Forwarded-User
Semaphore UI
Automation & Configuration · X-Forwarded-User
Authentik
Identity & Access Management · X-Forwarded-User
Node-RED
IoT & Workflow Automation · X-Forwarded-User
NocoDB
No-Code Database · X-Forwarded-User
Homer Dashboard
Service Dashboard · X-Forwarded-User
OpenProject
Project Management · X-Forwarded-User / REMOTE_USER

Ready to Secure Woodpecker CI with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Woodpecker CI code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps