Secrets committed to repositories (even in history after removal) - Branch protection bypass allowing malicious Dockerfile modifications - Dependency confusion in package managers referenced by Dockerfiles - Webhook hijacking to trigger unauthorized builds