Profile Applicability:
Level 1
Description:
All modifications to pipeline configuration files (e.g., YAML, JSON, or scripts defining build/deployment workflows) must be tracked using version control and subjected to formal review processes. This ensures accountability, traceability, and quality control over changes affecting automated build and deployment pipelines.
Rationale:
Tracking and reviewing pipeline file changes help prevent accidental misconfigurations, unauthorized modifications, and security risks that could disrupt software delivery or introduce vulnerabilities. It promotes collaboration and compliance with organizational standards.
Impact:
Pros:
Enhances pipeline security and reliability.
Provides audit trail and accountability for changes.
Reduces risk of build or deployment failures.
Supports compliance with security policies and best practices.
Cons:
Requires discipline in change management processes.
May introduce delays if reviews are not timely.
Default value:
Pipeline files may be modified without formal tracking or review in some environments, increasing risk.
Audit:
Review version control history for pipeline files. Verify that changes undergo peer or security reviews prior to merging. Check logs for unauthorized or undocumented modifications.
Remediation:
Enforce version control usage for pipeline files. Implement pull request or merge request review policies specifically for these files. Educate teams on the importance of reviewing pipeline changes.
References:
GitHub Actions Workflow Files: https://docs.github.com/en/actions/using-workflows
GitLab CI/CD Pipeline Configuration: https://docs.gitlab.com/ee/ci/yaml/
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/