Reference Architecture · DevSecOps

DevSecOps SLSA L3+ Paved Path.

Trunk-based CI/CD with signed provenance, workload identity, SBOM-to-owner alerting, and policy-as-code admission. Aligned to NIST SSDF (SP 800-218), SLSA v1.0, EO 14028 / CISA Secure-by-Design, and APRA CPS 234.

SOURCE Trunk-based PR · ADR · IDE security feedback · signed commits CI BUILD Hermetic SAST · DAST · SCA unit + integration tests ARTEFACT SBOM + Sign CycloneDX/SPDX in-toto · Cosign REGISTRY OCI signed immutable tags provenance attached DEPLOY Verified at admission OPA/Kyverno · OIDC canary + auto-rollback POLICY-AS-CODE PLANE · ENFORCED AT EVERY STAGE OPA · Kyverno · Conftest · Sentinel Pre-merge (IaC lint) · Pre-build (license/SBOM gates) · Pre-deploy (provenance verify, signed image, no-public-egress) IDENTITY PLANE Workload identity (OIDC / SPIFFE) Zero static secrets in CI · short-lived tokens per stage GitHub OIDC ↔ AWS IAM Roles · GCP WIF · Azure Federated Creds SUPPLY-CHAIN PLANE SBOM ⇒ Graph ⇒ Owner alerts Syft / Trivy ⇒ GUAC / Dependency-Track CISA KEV ↔ service owner notification <24h SECURITY OBSERVABILITY PLANE Detection-as-code · SIEM · runtime (eBPF) · MITRE ATT&CK aligned Falco · Sysdig · Splunk · Sentinel · Wiz / Aqua · Tetragon · purple-teamed continuously SHARED SUBSTRATE OTel traces (build + deploy + runtime) · service catalogue + ownership · audit evidence retained Audited against: NIST SSDF · SLSA L3 · NIST SP 800-207 (Zero Trust) · APRA CPS 234 ¶13-26 · PCI DSS 4.0 · ISO 27001:2022 Backstage Scorecards · Cortex · OpsLevel surface posture per service per team
DevSecOps SLSA L3+ Paved Path · reference architecture v1.0 · read the supply-chain essay

What this architecture solves.

The paved path that a new service follows from zero to audited production. Every gate is encoded; every artefact is signed; every credential is short-lived; every CVE alert reaches the service owner without human routing.

An org with this paved path in place will score in “Managed” or “Optimising” on the DevSecOps Maturity diagnostic by construction.

Pipeline stages.

S1 · Source — trunk-based

Short-lived branches, signed commits, ADR per material change.

Trunk-based development; PRs merged in hours, not weeks. IDE-level security feedback (Snyk Code, GitGuardian, JetBrains/VS Code plugins) catches secrets and obvious flaws before push. Signed commits enable the integrity chain from author to deploy.

Tools GitHub GitLab Snyk Code (IDE) GitGuardian
S2 · CI Build — hermetic

Tamper-evident build hosts.

SLSA L3 prerequisite: build runs in a hermetic, ephemeral environment with no human-writable state. SAST + DAST + SCA run as required gates; KEV-listed CVEs break the build.

Tools GitHub Actions Jenkins Argo Workflows Trivy Semgrep
S3 · Artefact — SBOM + sign

Provenance attached at build, not after.

CycloneDX or SPDX SBOM emitted per artefact. in-toto attestation + Cosign signature for SLSA L3 provenance. Attestations stored alongside the artefact in the registry.

Tools Anchore Syft CycloneDX Sigstore Cosign in-toto GitHub Artifact Attestations
S4 · Registry — immutable, signed

Tags are immutable; digests are the deploy reference.

OCI-compliant registry with immutable tags. Deploys reference image digests, never floating tags. Old signed artefacts retained for audit replay.

Tools Harbor AWS ECR GCP Artifact Registry Azure ACR
S5 · Deploy — verified at admission

Provenance verified, policy enforced, canary released.

OPA / Kyverno admission controller verifies signature + provenance + policy compliance before the workload runs. Workload identity (OIDC) gives the new pod its runtime credentials. Canary + auto-rollback on burn-rate (see Error Budget calculator).

Tools OPA Kyverno Argo CD Flux SPIFFE/SPIRE

The three planes that span the pipeline.

  • Policy-as-code plane — OPA / Kyverno / Conftest / Sentinel, enforced pre-merge, pre-build and pre-deploy. The encoded version of your security and architecture principles.
  • Identity plane — workload identity (OIDC, SPIFFE) replacing static credentials at every boundary. CI runners, build hosts, runtime pods all use short-lived tokens.
  • Supply-chain plane — SBOM ⇒ graph (GUAC, Dependency-Track) ⇒ owner alerts via CISA KEV feed. Every CVE finds its service owner without human routing.

Sequencing for a 90‑day adoption.

  1. Weeks 1-3: One pipeline migrates to workload identity (OIDC). Document the pattern.
  2. Weeks 4-6: SBOM emission + Dependency-Track + owner-alert wiring. Same pipeline.
  3. Weeks 7-9: Cosign signing + admission verification. SLSA L2 → L3.
  4. Weeks 10-12: Policy-as-code gates for two non-negotiable rules (no-public-S3, signed-image-only). Backstage Scorecards visible to teams.
Also on this site