What to change concretely in real CI/CD environments
🔐 Access & Identity Hardening
If failing SSO/MFA controls:
- Enforce SAML SSO for GitHub/GitLab org.
- Disable password-based login for admins.
- Enforce hardware-based MFA for privileged roles.
- Remove personal access tokens without expiration.
- Configure automatic token rotation.
🧱 Runner Isolation
If using shared runners in regulated pipelines:
- Move to self-hosted isolated runners.
- Use one runner group per sensitivity level.
- Restrict runner execution to specific projects.
- Disable “public/shared” runners for regulated repos.
🚫 Policy Gates Not Blocking
If SAST/SCA/DAST results are advisory only:
- Convert critical severity thresholds to blocking.
- Require security approval to override.
- Log every override with ticket reference.
- Add expiration to exception approvals.
📦 Artifact Integrity
If artifact signing missing:
- Implement container/image signing (Cosign / Notary).
- Enforce signature verification at deploy time.
- Block unsigned artifacts in release stage.
- Store signature verification logs.
Evidence Centralization
If logs only exist in vendor UI:
- Stream CI/CD logs to SIEM.
- Export scan reports to central evidence store.
- Snapshot approval events.
- Archive pipeline definitions per release.
🔁 Exit Strategy Weakness
If exit plan exists but not tested:
- Export full repo + branches.
- Export pipeline YAML.
- Export container images.
- Simulate rebuild in alternate CI system.
- Document recovery time.
Exit testing must include real artifact reconstruction.
Sub-Processor Blind Spot
If sub-processor visibility missing:
- Request official list from supplier.
- Document changes quarterly.
- Map critical sub-processors in architecture.
- Add clause requiring notification.
