Profile Applicability:
Level 1
Description:
All components of the pipeline infrastructure and configuration—including build agents, scripts, environment settings, and deployment configurations—must be managed as immutable artifacts. This means that once deployed or configured, these elements should not be altered in place; instead, any changes must be implemented by replacing or redeploying new versions. Immutability ensures consistency, repeatability, and security in pipeline operations.
Rationale:
Immutability prevents configuration drift and unauthorized changes that could introduce vulnerabilities or inconsistencies. By enforcing immutable pipeline components, organizations can achieve reliable, auditable, and secure CI/CD processes that are easier to maintain and troubleshoot.
Impact:
Pros:
Enhances consistency and reliability of pipeline executions.
Reduces risk of unauthorized or accidental modifications.
Simplifies rollback and disaster recovery.
Supports compliance with security and audit requirements.
Cons:
Requires disciplined change management and tooling support.
May increase resource usage due to redeployment of new instances.
Default value:
Pipeline infrastructure and configuration are often mutable by default, allowing in-place changes that may cause drift.
Audit:
Review pipeline management practices to ensure configurations and infrastructure are versioned and redeployed rather than modified in place. Inspect logs for unauthorized or untracked changes.
Remediation:
Adopt infrastructure-as-code and pipeline-as-code practices with version control. Automate deployment of pipeline components to enforce immutability. Train teams on the importance and implementation of immutable infrastructure principles.
References:
Immutable Infrastructure Concept — Martin Fowler: https://martinfowler.com/bliki/ImmutableServer.html
GitLab CI/CD Pipeline as Code: https://docs.gitlab.com/ee/ci/yaml/
CIS Controls v8, Control 16 - Application Software Security: https://www.cisecurity.org/controls/application-software-security/