Replace placeholders like {{TEAM}}, {{OWNER}}, and tune responsibilities to match your org.
Scope & Assumptions
- Pipeline contract: Makefile targets (
make ci, make cd, gates, evidence ZIP). - Cluster: Minikube locally; same controls map to CI/staging/prod.
- Evidence: all scanners and policies write to
./artifacts.
Legend: R = Responsible (does the work) · A = Accountable (owns the outcome) · C = Consulted · I = Informed
Dev Controls & Supply Chain
| Control / Activity | Dev ({{TEAM}}) | Security ({{TEAM}}) | Platform/Ops ({{TEAM}}) | Notes |
|---|
| Secrets scanning (TruffleHog) – fix verified hits | R | A | I | Pre-commit hooks optional; verified secrets block |
| SAST (Semgrep) – remediate curated High/Critical | R | A | I | Curated ruleset maintained by Security |
| Dockerfile lint (Hadolint) | R | A | I | Style/safety; warn by default |
| IaC scan (Checkov) – high-risk fails | R | A | C | Security defines “fail” checks; Ops consulted |
| SBOM generation (Syft) | R | A | I | Required for releases |
| Image SCA (Trivy) – gate on severity | R | A | C | Gate policy set by Security |
| License policy – deny list | R | A | C | Legal may be consulted |
| Golden base images – curate & pin digests | I | A | R | Ops builds/maintains base images |
| Artifact signing (Cosign) – key mgmt | I | A | R | Keys in KMS/HSM; rotation by Ops |
| Promotion on pass | R | A | R | Implemented in CI; Make parity |
Kubernetes Admission & Runtime
| Control / Activity | Dev | Security | Platform/Ops | Notes |
|---|
| Kyverno policies – DENY (no privileged, drop caps, seccomp, runAsNonRoot, probes) | I | A | R | Security authors; Ops applies & monitors |
| Kyverno verifyImages (Cosign pubkey) | I | A | R | Admission requires signatures for org images |
| Pod Security labels (restricted) | I | A | R | Namespace labels owned by Ops |
| RBAC least privilege (SA/Role/Binding) | R | A | R | Dev proposes verbs; Security approves; Ops applies |
| NetworkPolicies (default deny + DNS egress + app ingress) | C | A | R | Dev supplies ports; Ops applies |
| Ingress/WAF demo | C | A | R | Optional; aligns with app routes |
| Falco runtime signals | I | A | R | Alerts routed to SOC/Slack |
Process & Governance
| Process | Dev | Security | Platform/Ops | Notes |
|---|
| Triage & SLAs | R (own code) | A (policy & coaching) | C | Critical ≤7d, High ≤30d, Medium ≤90d |
| Exception register (time-boxed) | R | A | C | Expiry + rationale required |
| Evidence ZIPs | R | A | C | Produced per build; archived centrally |
| Metrics/KPIs | C | A | C | High vulns in RC; SLA compliance; time-to-fix |
| Training (OWASP, secure coding) | R (attend/apply) | A (program) | C | Mapped to real findings |
| Incident response (security defects) | R | A | C | Links to IR playbooks |
- Security lead (A): {{OWNER}} · Backup: {{OWNER}}
- Platform/Ops lead (A/R): {{OWNER}} · Backup: {{OWNER}}
- Service owner(s) (R): {{OWNER}}
Review Cadence
- Weekly: 15-min findings triage (Dev + Security).
- Monthly: Ratchet review (thresholds/gates).
- Quarterly: Policy refresh (Kyverno, RBAC, NetPol).
Sign-off
- Effective date: ________
- Approved by (Security): ____________________
- Approved by (Platform/Ops): ________________
- Approved by (Engineering): ________________