Question: Are code repositories, pipelines, and build servers protected from tampering and unauthorized access?
-
Objective — Why This Matters
Compromised CI/CD pipelines lead to supply-chain breaches. Protecting repos and build systems preserves integrity of software releases. -
Maturity Levels (0–5)
No repository permissions or audit.
Basic branch protections; no MFA or sign-off.
Access control list maintained; review policy documented.
MFA enforced; signed commits and artifact integrity checks.
Build pipelines scanned for secrets and vulnerabilities.
End-to-end supply-chain signing with continuous verification.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Enable MFA and basic branch protections. |
| 1 → 2 | Document approval workflow and ACL reviews. |
| 2 → 3 | Require signed commits and verified builds. |
| 3 → 4 | Integrate secret scanning and dependency scans. |
| 4 → 5 | Adopt Sigstore or Cosign for artifact signing. |
-
People / Process / Technology Enablers
People – Developers, DevOps, Security Engineer.
Process – Repository review and pipeline audit.
Technology – GitHub Advanced Security, Gitleaks, Sigstore. -
Evidence Required
Repo permissions, commit signatures, pipeline scan logs. -
Metrics / KPIs
• percentage of repos with MFA enabled
• number of unsigned commits merged per month
• average time to revoke stale repo access -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Secrets scan | Gitleaks / TruffleHog | Detect secrets in code. |
| Signing | Cosign / Sigstore | Verify build artifacts. |
| Monitoring | Wazuh | Repo access alerting. |
-
Common Pitfalls
Shared accounts; unsigned commits; no pipeline audit trail. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.5.15 / A.8.15. |
| NIST CSF 2.0 | PR.AC-4 / PR.DS-3. |
| CERT-In 2022 | Software supply chain controls. |
| NIRMATA Scoring | AS-Q07 ≥ Level 4 requires secret scanning and signed builds. |