Chapter 6. Checklist

Move from “works on my laptop” to “works for the org”.

Rollout & Governance

  • Scope: Which apps/teams adopt this first (pilot group)? What’s the rollout wave plan?
  • Ownership: Who owns Make targets, policies, and mirrors (Dev / Sec / Platform)?

Metrics & Reporting

  • KPIs: Which 3 numbers will you track? (e.g., High vulns in RC, SLA compliance, time-to-fix)
  • Cadence: Weekly triage? Monthly ratchet review? Quarterly policy refresh?

CI/CD Migration

  • Mapping: Have you mapped make targets to your CI (Actions/GitLab/Jenkins)?
  • Runners: Who maintains runner images (tooling versions aligned with local Make)?

Training & Culture

  • Training gaps: Does your team need OWASP Top 10 / Secure Coding refreshers?
  • Playbooks: Do you have incident and “deny at admission” runbooks?

Budget & Tools

  • Costs: Any paid tools needed now? If not, what will trigger a purchase later (scale, SLA)?
  • Key management: Where do cosign keys live (HSM/KMS)? Rotation schedule?

Audits & Evidence

  • Evidence path: Where do ./artifacts and evidence ZIPs live for audit?
  • Third-party requests: Can you produce SBOMs/signature bundles for customers on demand?

Resilience & Risk

  • Backups: Are mirrors, keys, policies, and artifact stores backed up & recoverable?
  • Bus factor: If one maintainer is out, who can run the release and fix the gates?

Backlog & Evolution

  • Next steps: Provenance (SLSA), commit signing, Renovate/Dependabot, External Secrets, kube-bench — what’s next and when?
  • De-risk: Which area feels riskiest today (people/process/tech)? What’s the first experiment to address it?