We already run scanners. Why add policy-as-code?

Scanners tell you what’s wrong. Policy-as-code decides what’s allowed. The former produces lists; the latter creates gates tied to your business rules and generates signed evidence per change. That’s the difference between a noisy report and a reliable audit trail.

Will this slow down our deploys?

Done right, PR checks add 2–5 minutes and deploy gates add milliseconds (admission) to seconds (attestation verify). We keep builds parallelized, run deterministic checks on static artifacts, and fail fast only on criticals. Our clients’ lead times typically stay within ±10%.

Do we need OPA/Rego if we already use Kyverno?

Kyverno is great for Kubernetes resource policies. You’ll still want OPA/Rego or tools like Checkov for Terraform/CloudFormation, and sometimes Gatekeeper for cross-resource constraints. Many teams run both: Kyverno for K8s admission + Conftest/Checkov for IaC.

How do we handle legacy workloads that can’t comply yet?

Use exceptions-as-code with expiry, risk owner, and a remediation plan. Segment those workloads into a stricter enclave, add compensating controls (e.g., WAF, egress blocks), and track exception debt. The pipeline should surface and time-box the debt, not hide it.

Security-compliance · Oct 12, 2025 · 10 minute read

Ship Fast, Pass Audit: Turning Policies into Pipeline Guardrails That Don’t Kill Velocity

If auditors still email you CSVs while prod deploys by hand-wavy Slack approvals, you’re one Sev-1 away from a public postmortem. Bake compliance into the pipeline, generate proofs automatically, and keep shipping without drama.

Alex Kim

Principal Consultant, GitPlumbers

20 years fixing brittle systems and compliance hairballs. Ex-SRE at a unicorn you’ve definitely paged at 3 a.m. Kubernetes, Terraform, and audits that end on time.

Compliance should be a compiler error, not a calendar event.

Back to all posts

Ship Fast, Pass Audit: Turning Policies into Pipeline Guardrails That Don’t Kill Velocity

Key takeaways

Implementation checklist