Register Owner: CTO
Effective Date: June 13, 2026
Reviewed: On pipeline change and at least annually
Frameworks: SOC 2 CC8.1 (change management); ISO 27001 A.8.25–A.8.32. Implements Change Management and Secure Development.
Effective Date: June 13, 2026
Reviewed: On pipeline change and at least annually
Frameworks: SOC 2 CC8.1 (change management); ISO 27001 A.8.25–A.8.32. Implements Change Management and Secure Development.
Pipeline
Controls
- Separation of duties: PRs require review by someone other than the author; CODEOWNERS gate sensitive areas (auth, encryption, billing, migrations, CI/CD); branch protection requires the CI aggregate check to pass.
- Security gates: SAST (Semgrep, CodeQL), secret scanning (Gitleaks), SCA (Snyk, GitHub Dependency Review), container scanning (Trivy) run on every change; findings flow to the GitHub Security tab and the Vulnerability Management process.
- Supply-chain integrity: release images are signed (Sigstore/cosign, keyless) and ship a CycloneDX SBOM; deploys use short-lived GitHub-OIDC→Vault credentials (no long-lived secrets).
- Promotion: staging (
develop) → production (main) behind a manual approval gate.
Cross-references
- Change Management · Secure Development Policy · Secure Coding
- Vulnerability Management · Open Source & SBOM Policy
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial CI/CD & SDLC pipeline diagram. | Cameron Wolfe | Ishan Jadhwani |