CI/CD Pipeline Security Governance for 2026 Audits
It is 08:17 on a Monday morning and the CISO of a scaling fintech receives the message every security leader dreads:
“Production build looks clean, but the artifact hash does not match the source commit.”
Within minutes, engineering confirms that the release passed unit tests, the deployment ticket exists and the customer-facing service is stable. But the pipeline tells a different story. A self-hosted CI runner was reused across projects. A temporary cloud credential remained active longer than intended. The artifact registry shows a signed container image, but the signing key was accessible from the same runner that executed untrusted build scripts.
The release manager can prove that something was deployed. What the organization cannot prove, at least not quickly enough, is what was built, who approved it, whether the build environment was clean and whether the evidence would survive an audit or incident investigation.
That is no longer only a DevOps problem.
In 2026, CI/CD pipeline security governance sits at the intersection of software supply chain security, operational resilience, privacy accountability, product security and board-level cyber risk oversight. NIS2 pushes management bodies to approve and oversee cybersecurity risk-management measures. DORA requires financial entities to govern ICT risk, incidents, testing and third-party dependencies. GDPR requires controllers and processors to demonstrate appropriate security and accountability for personal data. The Cyber Resilience Act raises market expectations for secure products with digital elements, secure updates and vulnerability handling. ISO/IEC 27001:2022 requires an ISMS that turns risk treatment into controlled, evidenced operations.
The pipeline has become the audit trail for modern software trust.
The new compliance question: can you prove what reached production?
For years, DevSecOps programs focused on adding scanners to pipelines. Static analysis, dependency checks, secret scanning, container scanning and infrastructure-as-code validation became common. Those controls still matter, but they do not answer the governance question auditors, regulators, customers and boards now ask:
Can the organization prove that every production deployment came from approved source code, was built in a controlled environment, produced a verifiable artifact, passed required security gates, used approved credentials, followed change management and generated evidence that can be preserved?
Attackers know that build systems, package dependencies, developer tokens, CI runners, release automation, artifact registries and cloud deployment roles are high-value targets. A compromised pipeline can bypass traditional defenses because it uses trusted automation to push malicious code into trusted environments.
A mature CI/CD pipeline security governance model therefore needs six evidence pillars.
| Evidence pillar | What it proves | Typical evidence |
|---|---|---|
| Source integrity | The deployed artifact came from approved source code | Commit ID, branch protection, pull request approvals, signed commits, repository audit logs |
| Build provenance | The artifact was produced by a known pipeline under controlled conditions | Build ID, runner identity, build recipe, dependency manifest, artifact hash, signing record |
| Runner hardening | The execution environment could not easily be reused or tampered with | Ephemeral runner logs, baseline image, patch status, isolation controls, network restrictions |
| Artifact integrity | The release package was not altered after build | Signature, checksum, registry log, promotion record, immutable tag policy |
| Deployment governance | The change was authorized, tested and traceable | Change request ID, approval evidence, environment promotion logs, rollback plan |
| Forensic readiness | Evidence can be preserved during audit or incident response | Exported logs, screenshots, file hashes, chain-of-custody record |
This is where Clarysec’s approach differs from checklist compliance. We treat the CI/CD platform as a governed business process, not only a technical tool. That process must be scoped in the ISMS, risk-assessed, controlled, monitored, audited and improved.
Put CI/CD inside the ISO/IEC 27001:2022 ISMS
ISO/IEC 27001:2022 starts with context, interested parties and scope. Clauses 4.1 to 4.4 require organizations to understand internal and external issues, determine interested-party requirements, identify legal, regulatory and contractual requirements, and define the ISMS scope while considering dependencies with other organizations.
For a SaaS provider, fintech, managed service provider, software vendor or cloud-native business, CI/CD is almost always inside that scope because it directly affects service delivery, customer data, production infrastructure and contractual commitments.
Clauses 5.1 to 5.3 make leadership responsible for the ISMS. This matters because modern release automation sits between engineering, security, cloud operations, procurement, compliance and product management. If no executive owns the risk appetite for production deployment automation, the organization usually ends up with fragmented tooling and inconsistent evidence.
Clauses 6.1.1 to 6.1.3 provide the planning backbone. The organization must assess risks to confidentiality, integrity and availability, identify risk owners, compare risks against criteria, select treatments, compare selected controls with Annex A, produce a Statement of Applicability and obtain approval for the treatment plan and residual risk.
A CI/CD risk assessment should not merely say “software supply chain risk.” It should name realistic scenarios:
- A malicious build script exfiltrates signing keys from a shared runner.
- A developer bypasses branch protection and deploys unreviewed code.
- A compromised third-party action modifies an artifact during build.
- A staging credential grants production access.
- A deployment occurs without a linked change request.
- Pipeline logs needed for incident reconstruction are overwritten after seven days.
- A dependency poisoning incident reaches pre-production or production.
Clause 8.1 then requires planned and controlled operation of ISMS processes, documented evidence, control of planned changes, review of unintended changes and control of externally provided processes, products or services relevant to the ISMS. If the pipeline changes production, it must produce evidence of controlled operation.
The Clarysec control model for secure software delivery
Clarysec connects policy, controls and audit evidence. The Zenith Blueprint: An Auditor’s 30-Step Roadmap Zenith Blueprint places secure DevOps and secure development into the Risk Management phase, Step 14. It states that organizations should secure CI/CD tools, ensure only authorized staff can trigger deployments, use MFA for pipeline access, protect build artifact integrity, and log and monitor CI/CD actions.
“DevOps Pipeline Controls : CI/CD tools must be secured – only authorized staff can trigger deployments; use MFA for pipeline access; protect build artifacts integrity. Log and monitor CI/CD actions.”
That guidance becomes actionable when translated into policy clauses and evidence requirements.
The P24 Secure Development Policy Secure Development Policy states:
“Build artifacts must be signed and traceable to source commits.”
This is one of the strongest controls in a CI/CD governance program. It tells engineering that a production artifact must carry a verifiable lineage back to source control. It also tells auditors what to test: select a production release, inspect the artifact signature, validate the commit reference, review the pull request approval and confirm the pipeline build record.
The same policy states:
“All development activities must be tracked through approved version control systems with enforced access controls, audit trails, and branch protections.”
This moves governance upstream. If source repositories are not protected, build provenance is weak. If branch protections can be bypassed, the pipeline may faithfully build unapproved code. If audit trails are disabled, incident reconstruction depends on memory and screenshots rather than evidence.
For smaller organizations, the Secure Development Policy-sme Secure Development Policy-sme - SME includes a pragmatic minimum requirement:
“Tracking of code version, deployment date, and approver”
That simple deployment ledger is a strong starting point. Many SMEs do not need heavy release governance on day one, but they do need to know what version went live, when and who approved it.
The SME policy also states:
“Access to production deployment tools or systems must be controlled, logged, and periodically reviewed by the GM or IT provider.”
That is the governance step many smaller teams miss. A CI/CD platform with production cloud credentials is a privileged production access path.
Three ISO/IEC 27002:2022 control areas behind secure CI/CD
The Zenith Controls: The Cross-Compliance Guide Zenith Controls is Clarysec’s cross-compliance compass for mapping official standards and frameworks into practical control relationships. For CI/CD pipeline security governance, three ISO/IEC 27002:2022 control areas are central.
| ISO/IEC 27002:2022 control | CI/CD governance role | Related controls and evidence |
|---|---|---|
| 5.21 Managing information security in the ICT supply chain | Governs CI/CD platforms, third-party actions, package repositories, cloud build services, registries and outsourced development | Supplier due diligence, contractual security requirements, provider logs, dependency inventories |
| 8.25 Secure Development Life Cycle | Embeds security into requirements, design, coding, build, testing and release | Secure architecture, secure coding, security testing, artifact signing, release evidence |
| 8.32 Change Management | Ensures deployments are intentional, justified, approved and auditable | Change request ID, approval, deployment log, rollback plan, emergency change record |
Zenith Controls describes 5.21 as a preventive control supporting confidentiality, integrity and availability, with supplier relationships security as a key operational capability. That fits CI/CD because modern pipelines depend on external services: source control platforms, hosted runners, container registries, open-source package repositories, third-party GitHub actions, scanning tools, cloud deployment APIs and outsourced developers.
In the 5.21 mapping, Zenith Controls ties ICT supply chain security to 5.19 Information security in supplier relationships, 5.20 Addressing information security within supplier agreements, 8.27 Secure system architecture and engineering principles, 8.28 Secure coding, 8.29 Security testing in development and acceptance, 5.15 Access control, 5.28 Collection of evidence, 8.25 Secure Development Life Cycle and 8.30 Outsourced development.
For 8.25, Zenith Controls identifies Secure Development Life Cycle as a preventive control protecting confidentiality, integrity and availability. It connects security requirements, architecture, coding, testing, outsourced development and 8.31 Separation of development, test and production environments.
For 8.32, Zenith Controls frames Change Management as the bridge between development and operations. It relates to 8.9 Configuration management, 8.8 Management of technical vulnerabilities, secure SDLC and incident response. This is why deployment automation cannot sit outside change governance. It is the mechanism by which production changes happen.
Build provenance: the release story auditors can follow
Build provenance is the ability to answer, with evidence, where a software artifact came from and how it was produced. A strong provenance record tells the story of a release:
- Which source repository and commit were used.
- Which branch or tag triggered the build.
- Which pull request, reviewer and approval were linked.
- Which pipeline definition executed.
- Which runner executed the job.
- Which dependencies and base images were used.
- Which tests and security gates ran.
- Which artifact was produced.
- Which signature or hash was generated.
- Which deployment consumed the artifact.
The P05 Change Management Policy Change Management Policy provides the governance link. It states:
“Tool-based changes must still comply with this policy and be traceable to a corresponding change request ID.”
This addresses the common argument that automated deployments do not need change tickets. Automation does not remove change governance. It changes how evidence is generated.
The same policy states:
“All change requests, reviews, approvals, and supporting evidence must be recorded in the centralized Change Management System.”
In practice, the change management system should be the index, not the dumping ground. The ticket should point to the source repository, build run, artifact signature, deployment log and rollback plan. Detailed evidence can remain in engineering tools if retention, access control and exportability are defined.
| Control question | Evidence to retain | Owner |
|---|---|---|
| Was the source approved? | Pull request approval, branch protection settings, reviewer identity | Engineering lead |
| Was the build controlled? | Build run ID, runner ID, pipeline definition version, job logs | DevOps |
| Was the artifact traceable? | Artifact hash, signature, source commit reference, registry metadata | Platform team |
| Did security gates run? | SAST, SCA, container, DAST and IaC scan results, exception approvals | Security |
| Was deployment authorized? | Change request ID, approver, deployment window, rollback plan | Change manager |
| Can evidence be preserved? | Exported logs, screenshots, hashes, chain-of-custody record | Security or compliance |
Runner hardening: the overlooked production control
CI/CD runners are often treated as disposable infrastructure, but they are high-risk execution environments. A runner may access source code, secrets, build caches, package repositories, signing keys, artifact registries and cloud deployment roles. If it is persistent, shared, overprivileged or poorly monitored, it becomes a privileged pivot point.
The secure governance position is simple: runners that build or deploy production code must be hardened like production infrastructure.
| Runner hardening area | Expected control | Audit evidence |
|---|---|---|
| Isolation | Use ephemeral runners for sensitive builds and avoid sharing across trust boundaries | Runner lifecycle logs, runner group settings |
| Credential security | Use short-lived credentials and workload identity instead of long-lived secrets | Identity configuration, token expiry settings, secret rotation logs |
| Least privilege | Separate build, test, signing and deployment roles | Role definitions, access reviews, permission exports |
| Network control | Restrict outbound access and block unnecessary production connectivity | Firewall rules, network policy exports, egress logs |
| Baseline integrity | Patch runner images and record approved versions | Image inventory, patch reports, build image digests |
| Cache protection | Prevent cross-project contamination through build caches | Cache policy, project isolation settings |
| Monitoring | Log administrative actions, configuration changes and job anomalies | CI/CD audit logs, SIEM events, alert records |
The Test Data and Test Environment Policy Test Data and Test Environment Policy states:
“Integration with CI/CD pipelines must enforce the separation of environments and authentication credentials.”
A runner that can deploy to staging and production with the same credential model violates environment separation in spirit, even if the infrastructure is logically separate. Clarysec typically recommends separate deployment identities per environment, separate approval gates for production and explicit controls preventing lower-environment jobs from accessing production secrets.
The Zenith Blueprint, Controls in Action phase, Step 21, reinforces this through separation of development, test and production environments:
“If CI/CD is used, confirm that deployment promotion between environments is controlled and requires review or approval. Document this in your Environment Management Procedure and take screenshots or console exports to back it up.”
For a real audit, that means the auditor should not only see a diagram. They should see console exports showing environment-specific credentials, protected deployment environments, approval gates and logs proving that promotion was controlled.
Deployment evidence: the compliance artifact hiding in plain sight
The most mature DevSecOps teams do not treat evidence collection as a quarterly scramble. They design pipelines to generate evidence automatically.
The Logging and Monitoring Policy-sme Logging and Monitoring Policy-sme - SME identifies relevant log events as:
“System logs: Configuration changes, administrative actions, software installations, patching activity”
CI/CD systems produce all four categories. Pipeline configuration changes affect how software is built. Administrative actions change who can approve or deploy. Software installations occur in build images and deployment targets. Patching activity may flow through automated release processes. These events should be logged, retained and reviewed according to risk.
For investigation readiness, the P31S Evidence Collection and Forensics Policy-sme Evidence Collection and Forensics Policy-sme - SME states:
“Screenshots, exported logs, and file hashes must be stored alongside the chain-of-custody file.”
This is especially important after a suspected pipeline compromise. Screenshots alone are weak evidence. Logs without hashes may be challenged. A chain-of-custody file without source references is incomplete.
A defensible production deployment record should include the following.
| Evidence item | Minimum content | Primary source | Compliance value |
|---|---|---|---|
| Change request | Business need, risk level, approval, change ID, rollback plan | JIRA, ServiceNow, Git issue | ISO 27002 8.32, DORA Article 9 |
| Source record | Repository, commit, branch, pull request approvals | Git, GitHub, GitLab, Azure DevOps | ISO 27002 8.25, NIS2 Article 21 |
| Build record | Pipeline ID, runner ID, build logs, dependency data | CI/CD platform | ISO 27002 8.25, ICT supply chain evidence |
| Build provenance attestation | Signed record of build inputs, environment and process | CI/CD tool, SLSA-capable workflow | ISO 27002 5.21, CRA Annex I support |
| Security gate record | SAST, SCA, DAST, container and IaC scan results | Security tools, pipeline logs | ISO 27002 8.29, DORA Article 9 |
| Artifact record | Hash, signature, registry path, immutable digest | Artifact registry | ISO 27002 8.25, CRA secure update evidence |
| Deployment record | Environment, actor, timestamp, production approval | GitOps, deployment platform | ISO 27002 8.32, DORA Article 10 |
| Monitoring record | Post-deployment health and anomaly checks | SIEM, observability platform | DORA detection and response expectations |
| Evidence preservation | Exported logs, screenshots, hashes, custody record | Evidence repository | ISO 27002 5.28, incident investigation |
This package transforms CI/CD from a series of technical steps into a story of governance, control and due diligence.
Mapping CI/CD governance to NIS2, DORA, GDPR and CRA
NIS2 applies to many essential and important entities, including digital infrastructure, ICT service management and digital provider organizations where criteria are met. Article 20 is particularly relevant because it creates management-level cybersecurity duties. Management bodies must approve cybersecurity risk-management measures, oversee implementation and receive training.
Article 21 provides the risk-management baseline. It requires appropriate and proportionate technical, operational and organizational measures covering risk analysis, policies, incident handling, business continuity, supply chain security, secure acquisition, development and maintenance, vulnerability handling, effectiveness assessment, cyber hygiene, cryptography, HR security, access control, asset management and MFA where appropriate.
| NIS2 Article 21 theme | CI/CD governance interpretation |
|---|---|
| Risk analysis and policies | Pipeline threat model, secure development policy, runner risk assessment |
| Incident handling | Pipeline compromise playbook, artifact revocation, emergency release control |
| Business continuity | Recovery of source control, artifact registry and deployment automation |
| Supply chain security | Third-party actions, packages, outsourced development, registry dependencies |
| Secure development and maintenance | Secure SDLC, code review, testing, vulnerability handling |
| Effectiveness assessment | Pipeline control testing, audit sampling, metrics and exceptions |
| Access control and MFA | Repository, CI/CD admin, runner registration, production deployment roles |
| Cryptography | Artifact signing, secrets protection, key management |
Article 23 adds staged significant incident reporting, including early warning within 24 hours of awareness, incident notification within 72 hours and a final report no later than one month after incident notification. If a CI/CD compromise could cause severe operational disruption, financial loss or material damage to others, the incident classification process must be ready before the incident.
For financial entities, DORA applies from 17 January 2025 and covers ICT risk management, incident reporting, resilience testing, information sharing, ICT third-party risk management and contractual requirements. Article 5 requires an internal governance and control framework for ICT risk, with management-body responsibility. Article 6 requires a documented ICT risk management framework integrated into overall risk management.
Articles 8 to 14 map directly to CI/CD pipeline governance. Financial entities must identify and classify ICT-supported business functions, assets, dependencies, threats and vulnerabilities. They must protect ICT systems through policies, access controls, strong authentication, cryptographic key protection, controlled ICT change management, patching and segmentation. They must detect anomalies, respond, recover and learn from incidents.
Articles 28 to 30 are equally important because CI/CD platforms, source control providers, artifact registries, cloud build systems and outsourced developers may be ICT third-party dependencies. DORA expects due diligence, contractual safeguards, concentration-risk assessment, audit and inspection rights, termination triggers, exit strategies and service-level clauses.
GDPR adds the accountability lens. Article 5 requires personal data to be processed lawfully, fairly, transparently, for specified purposes, minimized, accurate, retained only as needed and protected against unauthorized or unlawful processing and accidental loss, destruction or damage. Article 5(2) requires the controller to demonstrate compliance.
CI/CD pipelines matter to GDPR because developers may use production data in test environments, pipeline logs may expose personal data or tokens, releases may change processing logic, and compromised artifacts may cause personal data breaches. Where software changes affect privacy controls, the change record should capture privacy impact. Where a pipeline incident causes unauthorized access to personal data, breach assessment must be linked to incident handling.
CRA expectations add product security and secure update evidence. For manufacturers and software providers placing products with digital elements on the EU market, customers increasingly expect product security files, vulnerability handling evidence, secure update controls and release integrity. CI/CD governance supplies much of that evidence through source traceability, signed artifacts, vulnerability scan results, release notes, security fixes and update distribution records.
NIST CSF 2.0 and COBIT 2019: the audit lens beyond ISO
NIST CSF 2.0 provides an integration layer for cybersecurity governance. Its Core, Organizational Profiles and Tiers help organizations understand current and target posture, prioritize actions aligned with legal and regulatory requirements, and communicate cyber risk.
For CI/CD, Clarysec often creates a Software Delivery Pipeline Profile. The Current Profile captures how source control, runners, artifact signing and deployment approvals work today. The Target Profile defines the required state for regulated operations. The gap plan becomes the implementation roadmap.
The NIST GOVERN function is especially relevant. GV.OC-03 requires legal, regulatory and contractual cybersecurity requirements to be understood and managed. GV.RM covers risk appetite and standardized risk prioritization. GV.RR assigns leadership accountability, roles and resources. GV.PO requires cybersecurity risk policies to be established, enforced, reviewed and updated. GV.OV covers oversight and performance evaluation.
A COBIT 2019 or ISACA-style auditor will often look less at the cryptographic detail of artifact signing and more at governance design. They will ask whether ownership is defined, whether change enablement is controlled, whether third-party services are risk-managed, whether monitoring produces assurance, whether exceptions are approved and whether management receives meaningful reporting.
| Audit lens | Likely audit question | Evidence that answers it |
|---|---|---|
| ISO/IEC 27001:2022 auditor | Is CI/CD included in ISMS scope, risk assessment, Statement of Applicability and operating controls? | ISMS scope, risk register, SoA mapping, policy clauses, deployment samples |
| ISO/IEC 27002:2022 control reviewer | Are secure SDLC, environment separation, access control, change management and evidence collection implemented? | Branch protections, environment credentials, approvals, artifact signatures, logs |
| NIS2 assessor | Has management approved proportionate measures for secure development, supply chain, access control, incident handling and resilience? | Board minutes, risk treatment plan, Article 21 mapping, incident playbook, supplier records |
| DORA auditor | Does the pipeline support ICT risk management, controlled change, monitoring, testing, incident reporting and ICT third-party governance? | ICT asset inventory, change records, detection logs, incident classification, provider register |
| GDPR reviewer | Can the organization demonstrate security and accountability for releases affecting personal data? | Privacy review notes, test data controls, access logs, breach assessment workflow |
| NIST CSF 2.0 assessor | What is the current versus target pipeline posture and prioritized improvement plan? | CSF profile, gap analysis, POA&M, metrics, risk acceptance records |
| COBIT 2019 or ISACA auditor | Are roles, responsibilities, process controls, performance measures and assurance activities defined? | RACI, control owner list, KPI and KRI reports, internal audit results, exception register |
Common CI/CD audit failures and board-level metrics
Most CI/CD audit findings are predictable. The first is unlinked evidence. The team has Git logs, pipeline logs and deployment logs, but no single change record connects them. The second is overprivileged automation, where one job can read production secrets, push artifacts, approve deployments and modify pipeline definitions. The third is persistent shared runners, which create contamination risk between projects and make forensic scoping harder after compromise.
Other common failures include unsigned or overwritten artifacts, informal scan overrides, supplier blindness and privacy leakage in logs. A good pipeline allows exceptions, but requires approval, expiry, risk ownership and review.
Security leaders should avoid reporting only scanner counts to the board. Instead, report release trust metrics:
- Percentage of production deployments linked to approved change records.
- Percentage of production artifacts signed and traceable to source commits.
- Number of deployments using exceptions or emergency approvals.
- Percentage of privileged CI/CD users with MFA and recent access review.
- Number of active long-lived deployment credentials.
- Percentage of critical services using hardened or ephemeral runners.
- Mean time to revoke or rotate pipeline secrets after an incident.
- Number of critical supplier dependencies supporting software delivery.
- Evidence completeness rate for audit-sampled releases.
These metrics support ISO/IEC 27001:2022 leadership, planning and operational control. They also support NIS2 Article 20 management oversight and DORA governance expectations.
Make your pipeline auditable before the incident
CI/CD pipeline security governance in 2026 is not about slowing engineering down. It is about making software delivery trustworthy, resilient and provable. The best programs use automation to accelerate evidence, not bypass governance.
A practical Clarysec implementation starts with three actions.
- Use Zenith Blueprint Zenith Blueprint to place secure DevOps, source code access, environment separation and change management into your ISO/IEC 27001:2022 implementation roadmap.
- Use Zenith Controls Zenith Controls to map CI/CD risks across secure SDLC, ICT supply chain, access control, change management, evidence collection, NIS2, DORA, GDPR, NIST CSF 2.0 and COBIT 2019 audit perspectives.
- Deploy Clarysec policy templates, including Secure Development Policy, Change Management Policy, Test Data and Test Environment Policy, Secure Development Policy-sme - SME, Logging and Monitoring Policy-sme - SME and Evidence Collection and Forensics Policy-sme - SME, to define who approves releases, how artifacts are traced, how runners are controlled and what evidence must be retained.
If your next audit sample starts with “show us the production release trail,” your team should be able to answer in minutes, not weeks. That is the difference between DevOps automation and governed software delivery.
Download the Clarysec policy toolkit, review your CI/CD pipeline against Zenith Blueprint and Zenith Controls, or book a Clarysec assessment to turn your pipeline from a source of audit anxiety into a cornerstone of digital resilience.
Frequently Asked Questions
About the Author
Igor Petreski
Compliance Systems Architect, Clarysec LLC
Igor Petreski is a cybersecurity leader with over 30 years of experience in information technology and a dedicated decade specializing in global Governance, Risk, and Compliance (GRC).Core Credentials & Qualifications:• MSc in Cyber Security from Royal Holloway, University of London• PECB-Certified ISO/IEC 27001 Lead Auditor & Trainer• Certified Information Systems Auditor (CISA) from ISACA• Certified Information Security Manager (CISM) from ISACA • Certified Ethical Hacker from EC-Council
