Continuous Integration and Continuous Deployment (CI/ CD) pipelines have grown in popularity in recent years and are essential in streamlining the process of development and deployment of high quality software. However, developers often overlook security concerns in CI/CD pipelines, opening the door to many vulnerabilities. This paper presents an empirical investigation of nine security misconfigurations sourced from a comprehensive review of security guidelines, developer blogs, GitHub documentation, and prior research. To study the presence, co-occurrence and yearly trends of these security misconfigurations within current CI/CD practices, we analyzed a large dataset containing the most recent version of over 200'000 GitHub workflow specification files, taken from open source repositories. To aid us in this study, we developed Soteria, a static analysis tool equipped with custom detectors that can systematically identify security misconfigurations. Given that less than 1% of the analyzed workflows do not include any misconfiguration, our detection tool makes a contribution to raise awareness about widespread security misconfigurations. Our findings challenge conventional practices and motivate the need for an urgent shift in how security principles are systematically applied in the development and operation of CI/CD pipelines with more robust and finer-grained security controls.