Security-compliance · Nov 26, 2025 · 10 minute read

The Day the Auditor Joined Our Standup: Put Compliance in Your Pipeline, Not on Your Calendar

Translate PDFs into guardrails, checks, and automated proofs. Ship fast in regulated environments without waking Legal.

Alex Ramirez

Principal Engineer, GitPlumbers

20 years building and fixing systems across fintech and healthtech. Led PCI DSS compliance at a payments unicorn, wrangled HIPAA for a telemedicine platform, and turned AI-generated IaC from vibe code into production-grade pipelines.

If it’s not in the pipeline, it’s optional. Make compliance a pass/fail test, not a meeting.
Back to all posts

Related Resources

Key takeaways

  • If it’s not codified and enforced in CI/CD, it’s optional. Auditors and outages both hate optional.
  • Start with policy-as-code (OPA/Rego, Kyverno) and gate merges/deploys with clear, deterministic checks.
  • Generate automated proofs: SBOMs, signatures, vulnerability and policy reports, OPA decision logs, and store them immutably.
  • Balance speed with constraints by shifting checks left, caching scans, and progressively enforcing policies.
  • Adopt GitOps and cluster admission controls so only compliant, signed, and attested artifacts can run.

Implementation checklist

  • Map each control (HIPAA/PCI/SOC 2) to a specific automated check and artifact.
  • Add IaC scanners (`checkov`, `tfsec`), container scanners (`trivy`/`grype`), and secret scanning (`gitleaks`) to PRs.
  • Enforce Kubernetes admission with `Kyverno` or `OPA Gatekeeper` (image signatures, non-root, network policy).
  • Produce SBOMs (`syft`) and sign artifacts (`cosign`); record attestations (in-toto/SLSA).
  • Store evidence (reports, attestations, decision logs) in immutable storage (e.g., S3 Object Lock).
  • Create a waiver process with time-bound exceptions and owner sign-off, tracked as code.
  • Measure lead time, change failure rate, MTTR, and “evidence retrieval time” for audits.

Questions we hear from teams

OPA Gatekeeper or Kyverno for Kubernetes policies?
Both are solid. Gatekeeper (OPA/Rego) is great if your org standardizes on Rego across stacks. Kyverno is friendlier for K8s-native teams and supports image signature verification and policy mutations out of the box. For most teams, Kyverno covers 90% with less code; keep Rego for org-specific logic and Terraform policies.
How do we handle regulated data in preview environments?
Block direct production copies with an OPA rule in the CI and a Kyverno admission policy. Only allow data imports that pass through a masking pipeline you control. Tag resources with data classifications and enforce network egress and storage encryption for anything labeled PHI/PCI.
Won’t scans slow our pipeline to a crawl?
Not if you cache and split. Run fast checks (secrets, checkov/tfsec, conftest) on PRs. Build SBOMs and deep scans only on main or for images that actually changed. Trivy and Grype cache DBs and layers; warm them with a scheduled job.
How do we manage exceptions without destroying the program?
Waivers are code. Each waiver references a specific finding, owner, risk, sunset date, and mitigation. Store in the repo, link to ticket IDs, and fail builds if the waiver expires. That keeps leadership honest and auditors happy.
Where do we store proofs so they’re audit-ready?
Use object storage with immutability (S3 + Object Lock or GCS Bucket Lock). Organize by repo/commit/build, keep retention to match your framework, and include a machine-readable manifest mapping artifacts to SHAs and release tags.

Ready to modernize your codebase?

Let GitPlumbers help you transform AI-generated chaos into clean, scalable applications.

Codify your compliance program with GitPlumbers Download our starter OPA/Kyverno policy pack

Related resources