This work addresses the vulnerability of AI agents in CI/CD pipelines to prompt injection attacks, which pose significant software supply chain security risks. The authors propose GitInject, a framework that systematically identifies and categorizes eleven distinct types of prompt injection attacks within real-world GitHub Actions workflows, demonstrating that their root cause lies in infrastructure configuration rather than inherent model flaws. Through dynamic repository deployment, execution of authentic workflows, and comparative evaluation across multiple AI service providers, the study reveals that all major AI platforms exhibit at least one such vulnerability under default settings. For each identified attack class, the paper further introduces practical, low-cost workflow-level mitigation strategies to enhance pipeline security.

AI-powered agents are increasingly embedded in continuous integration and continuous delivery/deployment (CI/CD) pipelines to autonomously review pull requests (PRs), triage issues, and maintain codebases. These agents ingest untrusted content while operating with elevated repository permissions, making them a natural target for prompt injection attacks with supply chain consequences. We present GitInject, an open-source framework for evaluating prompt injection vulnerabilities in real, live GitHub workflows, a widely deployed instance of CI/CD pipelines. Unlike prior agent security benchmarks that simulate tool calls, GitInject provisions ephemeral repositories and triggers actual workflow runs, so that sandbox constraints, credential handling, and permission boundaries behave exactly as in production. Using GitInject, we study workflow configurations across four AI providers and document eleven named attacks spanning config-file injection, credential exfiltration, judgment manipulation, and availability. We find that all tested providers are susceptible to at least one attack class in their default configuration, and that the most critical vulnerabilities are structural: they arise from how CI/CD infrastructure handles credentials and configuration files, not from any specific model's behavior. For each confirmed attack class, we identify the minimum-cost workflow-level countermeasure and analyze its coverage and limitations. GitInject is released publicly to facilitate further research in this direction.