← Blog

New Pattern: SP-028 Secure DevOps Pipeline

OSA Core Team

Every CI/CD pipeline is an automated pathway to production. Every automated pathway to production is a potential attack vector. SP-028 addresses the security architecture that sits between these two truths.

SP-028 Secure DevOps Pipeline is OSA's second new pattern this month, covering the full spectrum of pipeline security from basic automated checks through to zero-trust pipelines with cryptographic provenance attestation. It maps 46 NIST 800-53 controls to 12 DevSecOps-specific threats, giving security architects a concrete, auditable framework for securing software delivery.

Four Maturity Levels

The pattern defines a maturity spectrum for pipeline security:

  • Basic — manual or ad-hoc security checks, where security is bypassed under delivery pressure
  • Integrated — automated SAST, SCA, and container scanning embedded as pipeline stages
  • Policy-enforced — mandatory security gates, cryptographic artifact verification, policy-as-code
  • Zero-trust — verified provenance for every component, cryptographic attestation, continuous compliance

Most organisations today sit between levels 1 and 2. The pattern helps you implement controls proportionate to where you are now, while understanding the path to higher assurance.

Nine Key Control Areas

SP-028 covers nine distinct security domains across the software delivery lifecycle:

  • Pipeline infrastructure security — hardened, ephemeral build environments
  • Source code and repository governance — branch protection, signed commits, separation of duties
  • Secrets and credential management — vault-based injection, rotation, scoped access
  • Software supply chain integrity — SCA, SBOM generation, dependency provenance
  • Automated security testing — SAST, DAST, IaC scanning, container scanning
  • Artifact integrity and provenance — Sigstore/Cosign, SLSA attestation, transparency logs
  • Deployment security and environment promotion — gates, approvals, immutable deployments
  • Infrastructure as Code governance — policy-as-code, drift detection, IaC scanning
  • Audit, evidence, and compliance automation — continuous evidence collection as a pipeline byproduct

Twelve Pipeline-Specific Threats

The pattern identifies 12 threats specific to CI/CD environments, each mapped to mitigating controls:

  • Supply chain attacks via compromised dependencies
  • Secret exposure in build logs or artifacts
  • Pipeline poisoning through malicious build step injection
  • Artifact tampering between build and deployment
  • Privilege escalation via CI/CD service accounts
  • Unauthorised code injection via merge requests
  • Infrastructure drift from declared state
  • Container image supply chain compromise
  • Insider threats via pipeline access
  • Deployment without security gate verification
  • Dependency confusion and typosquatting attacks
  • Compliance evidence tampering

Practising What We Preach

We do not believe in publishing security guidance we do not follow ourselves. The OSA repositories are secured using the controls described in SP-028: GitHub Actions pinned to commit SHAs to prevent supply chain compromise, dependencies version-locked, Dependabot monitoring for security updates, npm audit running on every build, SonarCloud static analysis on every push and pull request, secret scanning enabled, and explicit least-privilege permissions on all pipeline steps.

When we audited our own pipeline against SP-028's maturity model, we found gaps — and fixed them the same day. That is the point: the pattern gives you a concrete framework to assess against, and a clear path to improve. If you find your pipelines have gaps, that is not a failure — it is the starting point.

Key References

SP-028 cross-references the major frameworks and tools shaping modern pipeline security:

Explore the full pattern at SP-028 Secure DevOps Pipeline.

The OSA Core Team