We’re not on AWS/K8s. Does this still apply?

Yes. The pattern is portable: policy-as-code (OPA), plan-time checks (Pulumi/Terraform JSON, ARM/Bicep), admission controls (OpenShift/Gatekeeper), dynamic secrets (Vault), and signed artifacts (Cosign) exist across clouds and platforms.

Won’t this slow down delivery?

Done right, it speeds you up. Fail fast in CI, pre-approved modules, and auto-remediation prevent slow human review cycles. Our clients typically hold or improve lead time while cutting security toil.

We’re air-gapped. Can we still use Sigstore?

Yes. Run a private Fulcio/Rekor or use key-based cosign signatures and store attestations in your internal registry or WORM object storage. The point is verifiable evidence, not calling public services.

How do we handle exceptions?

Codify them, too. Use signed waivers with expiration, referenced in policy (OPA can check a waiver list). Exceptions become traceable, time-bound, and auditable.

What’s the first control to implement?

Least-privilege at plan-time with OPA/Conftest. It catches high-severity issues early and establishes the pattern you’ll reuse for rotation and supply chain.

Security-compliance · Oct 4, 2025 · 10 minute read

The Audit That Stopped Our Releases: Codifying Least‑Privilege, Rotation, and Dependency Risk as Code

Translate policy into guardrails, checks, and automated proofs your auditors actually accept, without grinding delivery to a halt.

Alex Mercer

Principal Consultant, GitPlumbers

20 years fixing brittle systems in finance, health, and SaaS. Ex-SRE lead, Terraform early adopter, OPA/K8s tinkerer, allergic to hand-wavy compliance.

If it isn’t codified, enforced, and leaving a cryptographically verifiable trail, it’s not a control—it’s a suggestion.

Back to all posts

The Audit That Stopped Our Releases: Codifying Least‑Privilege, Rotation, and Dependency Risk as Code

Key takeaways

Implementation checklist