# Third-Party and Integration Security

![Third-Party and Integration Security](/files/QjZc2jPmJfvzIz2nwHbF)

## Third-Party and Integration Security

> **Section focus:** Third-Party and Integration Security.\
> **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\
> **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing.

### Start with these pages

| Page                                                                                                                                                                          | Why open it first                                                |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| [📦 Marketplace, Actions, Images, Helm, and Public Component Review](/devsecops-cicd-and-supply-chain/index-2/marketplace-actions-images-helm-and-public-component-review.md) | High-value page inside **Third-Party and Integration Security**. |
| [🔄 Webhooks, OAuth, and SaaS Integration Security](/devsecops-cicd-and-supply-chain/index-2/webhooks-oauth-and-saas-integration-security.md)                                 | High-value page inside **Third-Party and Integration Security**. |
| [🏃 Vendor Agents, Runners, and Build-Integration Trust Boundaries](/devsecops-cicd-and-supply-chain/index-2/vendor-agents-runners-and-build-integration-trust-boundaries.md) | High-value page inside **Third-Party and Integration Security**. |

### Related sections

* [Stack-Specific Secure Engineering](/application-security-and-secure-sdlc/index-4.md)
* [Learning Paths and Labs](/learning-labs-interview-and-templates/index-2.md)

***

> **Intro:** Product teams inherit real risk from third-party pipeline components, SaaS integrations, agents, runners, widgets, and public artifacts. This section helps reviewers decide when convenience becomes too much trust.
>
> **What this page includes**
>
> * public component and marketplace review
> * webhook and OAuth integration trust decisions
> * agents, runners, and build integration trust boundaries
> * onboarding, ownership, and offboarding discipline

### Section map

| Page                                                                                                                                                                                                                            | Why it belongs here                                                       |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- |
| [Marketplace, Actions, Images, Helm, and Public Component Review](/devsecops-cicd-and-supply-chain/index-2/marketplace-actions-images-helm-and-public-component-review.md)                                                      | Establishes review basics for public reusable components.                 |
| [Webhooks, OAuth, and SaaS Integration Security](/devsecops-cicd-and-supply-chain/index-2/webhooks-oauth-and-saas-integration-security.md)                                                                                      | Covers common integration trust decisions inside products.                |
| [Vendor Agents, Runners, and Build-Integration Trust Boundaries](/devsecops-cicd-and-supply-chain/index-2/vendor-agents-runners-and-build-integration-trust-boundaries.md)                                                      | Focuses on components that execute code or touch sensitive runtime paths. |
| [GitHub Actions and GitLab Components Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/21-third-party-and-integration-security/github-actions-and-gitlab-components-review-playbook.md)             | Deepens source trust, version pinning, and secret-minimization review.    |
| [Third-Party Component Onboarding and Offboarding](https://github.com/D3One/Product-Security-Gitbook/blob/main/21-third-party-and-integration-security/third-party-component-onboarding-and-offboarding.md)                     | Adds ownership, inventory, and retirement discipline.                     |
| [Vendor Security Questionnaire for Engineering Integrations](https://github.com/D3One/Product-Security-Gitbook/blob/main/21-third-party-and-integration-security/vendor-security-questionnaire-for-engineering-integrations.md) | Provides a short due-diligence template for engineering-facing vendors.   |

### Design bias

Treat external automation, plugins, and reusable components as **trusted code with a lifecycle**, not as static dependencies that can be approved once and forgotten.

***

*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*

### Strong companion page

* [API Authorization, Business-Flow Abuse, and Third-Party API Consumption](/architecture-api-crypto-and-identity/index/api-authorization-business-flows-and-third-party-api-consumption.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index-2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.