Modern companies are increasingly adopting automation for software deployment processes. Combining CI/CD and the GitOps approach makes it possible to update infrastructure quickly and without manual intervention. However, the more automation you have, the higher the risks if security is not properly configured.
This is especially critical when an application or infrastructure is deployed on a VPS connected to a public network. In such a scenario, a supply chain attack can lead to full server compromise and leakage of confidential data.

In this article, we will look at a set of measures that will help protect a VPS when using the GitOps methodology in CI/CD processes.

What is GitOps and Why It’s Vulnerable

GitOps is an approach in which all infrastructure and application configurations are stored in a Git repository. Any change to the configuration (through a pull request or merge) automatically updates the working environment via a CI/CD process.
This greatly simplifies management but at the same time creates a single point of potential attack — the configuration repository.

If compromised or accessed without authorization, an attacker can:

  • modify the deployment configuration;
  • insert malicious code into the pipeline;
  • obtain secrets (passwords, API keys);
  • install backdoors on the VPS.

That’s why security starts at the code repository level and is not limited to the server itself.

1. Protecting the Git Repository

1.1. Access Restrictions and the Principle of Least Privilege

Grant each user only the permissions they truly need. For example, a developer may have access to a specific branch but not to the production branch.

1.2. Two-Factor Authentication

Enable 2FA for all accounts in GitHub, GitLab, or Bitbucket. This reduces the risk of compromise through a stolen password.

1.3. Commit Signing

Use GPG signatures for commits and tags. This ensures that changes are made by an authorized user, not by an outsider.

1.4. Secret Scanning

Use tools like Gitleaks or TruffleHog to automatically check the repository for accidentally committed passwords, tokens, or SSH keys.

2. Building a Secure CI/CD Process

2.1. Environment Isolation

Testing and production environments must have different credentials and be physically or logically isolated. This prevents test experiments from affecting live services.

2.2. Secret Management

Do not store passwords and keys in code or in open environment variables. Use Vault, AWS Secrets Manager, HashiCorp Vault, or Kubernetes Secrets.

2.3. Code Checks Before Deployment

Implement automated checks:

  • Linting — detecting syntax errors.
  • Static Application Security Testing (SAST) — finding vulnerabilities in code.
  • Dependency scanning — checking libraries for known security issues.

2.4. Controlling Access to Runners

Use private CI/CD Runners to avoid the risk of compromise through shared public agents.

3. VPS Security in a GitOps Infrastructure

3.1. Timely Updates

Update the OS kernel, packages, and services. Outdated software is the main entry point for exploiting vulnerabilities.

3.2. Firewall Configuration

Restrict port access using UFW or iptables. Only necessary services should remain open.

3.3. SSH Protection

  • Disable password authentication — use keys only.
  • Change the default port 22 to a non-standard one.
  • Allow SSH access only from specific IP addresses.

3.4. Monitoring and Logging

Integrate Prometheus and Grafana for VPS monitoring and ELK Stack for real-time log analysis.

3.5. Backups

Perform regular backups of critical data. For additional security, use colocation or remote data centers.

4. SSL and Securing Data Transmission

The transfer of configurations, code, and secrets should take place only through encrypted channels.
Using SSL certificates:

  • protects data from interception;
  • guarantees server authenticity;
  • reduces the risk of “man-in-the-middle” (MITM) attacks.

5. Automated Security Auditing

Integrate the following checks into your pipeline:

  • SAST — static code analysis.
  • DAST — dynamic testing during application runtime.
  • IaC Scanning — checking Terraform/Ansible/Helm configurations.

It is recommended to automatically generate reports and send them to the DevSecOps team after each deployment.

Conclusion

Securing a VPS when using GitOps in CI/CD is a multi-step process:

  • from a secure repository and a controlled pipeline;
  • to a properly configured firewall and monitoring;
  • with mandatory encryption and regular backups.

By choosing a reliable VPS with modern security features, you gain stability and control, while proper GitOps configuration ensures fast and secure updates to your infrastructure.