Do we need both OPA/Kyverno and CI checks?

Yes. CI catches issues before merge; admission protects the cluster from drift and manual changes. Defense in depth prevents bypass via out‑of‑band applies or emergency changes.

Will this slow us down?

Done right, no. Start warn‑only, fix noisy rules, and shift checks left with pre‑commit. Teams usually hold or improve lead time once the feedback loop is local and fast.

We’re on Terraform Cloud—use Sentinel or OPA?

Either works. If you’re already on TFC, Sentinel is convenient. If you want vendor‑neutral and reuse rules across tools, OPA/Rego + Conftest is our default.

Vault vs. AWS Secrets Manager vs. SOPS?

Use Secrets Manager for cloud‑native rotation, Vault for multi‑cloud and database brokers or complex workflows, and SOPS for GitOps overlays (not runtime). Many orgs use all three together.

How do we handle urgent exceptions?

Create a waiver file with expiry and ticket link. Policy reads it and allows the change temporarily. Expired waivers should fail CI and page the owner.

Security-compliance · Nov 9, 2025 · 9 minute read

Your Policies Don’t Count Until They Compile: Least‑Privilege, Secret Rotation, and Dependency Risk as Code

If you can’t enforce it in CI and prove it in an audit, it’s not a policy—it’s a wish. Here’s how we codify least‑privilege, rotation, and dependency risk without tanking delivery speed.

Back to all posts

Your Policies Don’t Count Until They Compile: Least‑Privilege, Secret Rotation, and Dependency Risk as Code

Key takeaways

Implementation checklist