Will this approach work if we’re on GitLab/Jenkins instead of GitHub Actions?

Yes. The patterns are portable. Replace reusable Actions with GitLab parent-child pipelines or Jenkins shared libraries. Conftest, Semgrep, Trivy, and cosign all run fine as CLI steps. The evidence pattern (JSON + S3/GCS + signing) is CI-agnostic.

How do we prevent guardrails from blocking every PR at the start?

Start in advisory mode for 1–2 sprints. Publish pass/fail, tie results to control IDs, and fix top offenders. Then progressively enforce: `public` stays advisory; `internal` gets partial blocks; `restricted` becomes enforce. Make it boring and predictable.

What about legacy repos without IaC or tests?

We start with read-only scans (runtime inventory, egress mapping), add Semgrep and container scans, and backfill minimal IaC (network, storage) to put guardrails in place. Don’t boil the ocean—stabilize the blast radius first.

Do we still need a formal threat model document for audits?

Usually not. Auditors accept living evidence if it’s traceable: PRs with threat model deltas, rule IDs mapped to controls, signed results per change, and an index. We can export a snapshot for audit, but the pipeline remains the source of truth.

How do we handle third-party SaaS and data egress?

Tag integrations with `x-data-classification`, whitelist destinations per class, and enforce via egress policies (Kubernetes NetworkPolicy, cloud egress gateways). For `restricted`, require VPN/PrivateLink equivalents and vendor DPAs; store attested vendor scans in the same evidence bucket.

Security-compliance · Oct 17, 2025 · 8 minute read

Threat Modeling at Sprint Speed: Turn Policy into Guardrails, Checks, and Attestations

Bake threat modeling into modernization sprints without slowing delivery by translating policy into code, proofs, and reusable guardrails.

Riley Grant

Partner, Delivery & Reliability at GitPlumbers

Riley has spent 20 years untangling outages and compliance hairballs at fintechs and Fortune 500s. Ex-SRE lead at a unicorn you definitely use; recovering platform PM; still carries a pager (by choice).

Ship the guardrails with the code, and the audit becomes a log read, not a meeting.

Back to all posts

Threat Modeling at Sprint Speed: Turn Policy into Guardrails, Checks, and Attestations

Key takeaways

Implementation checklist