# CI/CD and Software Supply Chain Security

![CI/CD and Software Supply Chain Security](/files/JwtxBwDNzGIZFPIQhFiG)

## CI/CD and Software Supply Chain Security

> **Section focus:** CI/CD and Software Supply Chain Security.\
> **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\
> **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing.

### Start with these pages

| Page                                                                                                                                                                                                                              | Why open it first                                                                                        |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| [GitLab CI YAML Deep Dive](/devsecops-cicd-and-supply-chain/index-1/gitlab-ci-yaml-deep-dive.md)                                                                                                                                  | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md)                                                                                            | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [Runner Isolation and Trust Boundaries](/devsecops-cicd-and-supply-chain/index-1/runner-isolation-and-trust-boundaries.md)                                                                                                        | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [Protected Environments and Deployment Approvals](/devsecops-cicd-and-supply-chain/index-1/protected-environments-and-deployment-approvals.md)                                                                                    | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [Reusable GitLab Includes and Components](/devsecops-cicd-and-supply-chain/index-1/reusable-gitlab-includes-and-components.md)                                                                                                    | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [Gate Aggregation Scripts](/devsecops-cicd-and-supply-chain/index-1/gate-aggregation-scripts.md)                                                                                                                                  | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [GitLab Release Evidence](/devsecops-cicd-and-supply-chain/index-1/gitlab-release-evidence.md)                                                                                                                                    | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [Argo CD AppProject and Sync Windows](/devsecops-cicd-and-supply-chain/index-1/argocd-appproject-and-sync-windows.md)                                                                                                             | High-value page inside **CI/CD and Software Supply Chain Security**.                                     |
| [🚦 SonarQube CI, PR Analysis, Quality Gates, and External Issues](/devsecops-cicd-and-supply-chain/index-1/sonarqube-ci-pr-analysis-quality-gates-and-external-issues.md)                                                        | Modern CI pattern for new-code gating, SARIF-aware aggregation, and practical Sonar workflows.           |
| [🛣️ Commit to Deployment Security Control Plane](/devsecops-cicd-and-supply-chain/index-1/commit-to-deploy-security-repository-pipeline-runners-secrets-approvals-provenance-and-release-contr.md)                               | End-to-end map of repository, pipeline, runner, secret, provenance, and release controls.                |
| [🚦 Release Governance — Security Sign-Off, Quality Gates, Acceptance Criteria, and Escalation](/devsecops-cicd-and-supply-chain/index-1/release-governance-security-signoff-quality-gates-acceptance-criteria-and-escalation.md) | Turns release sign-off into an evidence-backed governance flow with blocking rules and escalation paths. |
| [🧱 Secure Build Factory / Artifact Signing / Deployment Approval Evidence Pack](/devsecops-cicd-and-supply-chain/index-1/secure-build-factory-artifact-signing-and-deployment-approval-evidence-pack.md)                         | High-value page for auditable build integrity, signing, provenance, and promotion evidence.              |
| [🧰 Custom Security Toolbox Container for Post-Build Tests](/devsecops-cicd-and-supply-chain/index-1/custom-security-toolbox-container-for-post-build-tests.md)                                                                   | Demonstrates how to bundle several scanners into one reproducible post-build container image.            |

### Related sections

* [API Security](/architecture-api-crypto-and-identity/index.md)
* [Infrastructure and Cloud Security](/cloud-kubernetes-and-infrastructure-security/index.md)

***

> **Intro:** The release system is a security boundary. This section covers the control plane around pipelines, runners, approvals, release evidence, secret scanning, and the ways teams make security decisions in the flow of delivery.
>
> **What this page includes**
>
> * GitLab pipeline structure and reusable components
> * quality gates, release evidence, and approvals

* SonarQube PR analysis, CI quality-gate waiting, and external-issue ingestion

> - DefectDojo integrations and secret scanning gates
> - cross-links into new identity, detection, and third-party trust sections

### 🚦 Core pages in this section

* [GitLab CI YAML Deep Dive](/devsecops-cicd-and-supply-chain/index-1/gitlab-ci-yaml-deep-dive.md)
* [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md)
* [Runner Isolation and Trust Boundaries](/devsecops-cicd-and-supply-chain/index-1/runner-isolation-and-trust-boundaries.md)
* [Protected Environments and Deployment Approvals](/devsecops-cicd-and-supply-chain/index-1/protected-environments-and-deployment-approvals.md)
* [Reusable GitLab Includes and Components](/devsecops-cicd-and-supply-chain/index-1/reusable-gitlab-includes-and-components.md)
* [Gate Aggregation Scripts](/devsecops-cicd-and-supply-chain/index-1/gate-aggregation-scripts.md)
* [GitLab Release Evidence](/devsecops-cicd-and-supply-chain/index-1/gitlab-release-evidence.md)
* [Argo CD AppProject and Sync Windows](/devsecops-cicd-and-supply-chain/index-1/argocd-appproject-and-sync-windows.md)
* [DefectDojo Integration Patterns](/devsecops-cicd-and-supply-chain/index-1/defectdojo-integration-patterns.md)
* [GitLab System Security Baseline](/devsecops-cicd-and-supply-chain/index-1/gitlab-system-security-baseline.md)
* [🧾 Repository Governance — CODEOWNERS, SECURITY.md, and Default Files](/devsecops-cicd-and-supply-chain/index-1/repository-governance-codeowners-security-md-and-default-files.md)
* [🔐 Secret Scanning in Quality Gates](/devsecops-cicd-and-supply-chain/index-1/secret-scanning-quality-gates.md)
* [📱 Mobile Testing Quality Gates and DefectDojo Integration](/devsecops-cicd-and-supply-chain/index-1/mobile-testing-quality-gates-and-defectdojo.md)
* [🕷️ OWASP ZAP in the Real World: Tuning, Reports, and Quality Gates](/devsecops-cicd-and-supply-chain/index-1/owasp-zap-practical-tuning-and-report-analysis.md)
* [🔐 OWASP ZAP Authenticated Scanning and Session Management](/devsecops-cicd-and-supply-chain/index-1/owasp-zap-authenticated-scanning-and-session-management.md)
* [🧭 OWASP ZAP and DAST Modernization Patterns](/devsecops-cicd-and-supply-chain/index-1/owasp-zap-dast-modernization-patterns.md)
* [🧪 OWASP ZAP for APIs, Automation Framework, and OAST — Modern Practice](/devsecops-cicd-and-supply-chain/index-1/owasp-zap-api-automation-oast-modern-practice.md)
* [🦊 GitLab Top 10 Misconfigurations](/devsecops-cicd-and-supply-chain/index-1/gitlab-top-10-misconfigurations.md)
* [📦 Software Supply Chain Foundations](/devsecops-cicd-and-supply-chain/index-1/software-supply-chain-foundations.md)
* [🧾 SCA, SBOM, and Supply Chain Tooling — Legacy vs Current](/devsecops-cicd-and-supply-chain/index-1/sca-sbom-and-supply-chain-tooling-legacy-vs-current.md)
* [✍️ Signing, Attestation, and Verification — Legacy vs Current](/devsecops-cicd-and-supply-chain/index-1/signing-attestation-and-verification-legacy-vs-current.md)
* [🔗 Chainloop and Supply Chain Evidence](/devsecops-cicd-and-supply-chain/index-1/chainloop-and-supply-chain-evidence.md)
* [🧰 Jenkins Server Security Hardening and Top 10 Issues](/devsecops-cicd-and-supply-chain/index-1/jenkins-server-security-hardening-and-top-10-issues.md)
* [🐙 GitHub Actions for Product Security](/devsecops-cicd-and-supply-chain/index-1/github-actions-for-product-security.md)
* [📦 Local Artifact Repository Scanning and JFrog Xray](/devsecops-cicd-and-supply-chain/index-1/local-artifact-repository-scanning-and-jfrog-xray.md)
* [🏗️ Harbor Registry Hardening](/devsecops-cicd-and-supply-chain/index-1/harbor-registry-hardening.md)
* [🏃 Self-Hosted Runners Security Review Pack](/devsecops-cicd-and-supply-chain/index-1/self-hosted-runners-security-review-pack.md)
* [🦊 GitLab CI/CD Modern Security Patterns](/devsecops-cicd-and-supply-chain/index-1/gitlab-ci-cd-modern-security-patterns.md)
* [🤖 Security Automation Controllers — AWX, Jenkins, and Rundeck Patterns](/devsecops-cicd-and-supply-chain/index-1/ansible-awx-jenkins-rundeck-security-automation-patterns.md)
* [🚦 SonarQube CI, PR Analysis, Quality Gates, and External Issues](/devsecops-cicd-and-supply-chain/index-1/sonarqube-ci-pr-analysis-quality-gates-and-external-issues.md)
* [🛣️ Commit to Deployment Security Control Plane](/devsecops-cicd-and-supply-chain/index-1/commit-to-deploy-security-repository-pipeline-runners-secrets-approvals-provenance-and-release-contr.md)
* [🚦 Release Governance — Security Sign-Off, Quality Gates, Acceptance Criteria, and Escalation](/devsecops-cicd-and-supply-chain/index-1/release-governance-security-signoff-quality-gates-acceptance-criteria-and-escalation.md)
* [🧱 Secure Build Factory / Artifact Signing / Deployment Approval Evidence Pack](/devsecops-cicd-and-supply-chain/index-1/secure-build-factory-artifact-signing-and-deployment-approval-evidence-pack.md)
* [🧰 Custom Security Toolbox Container for Post-Build Tests](/devsecops-cicd-and-supply-chain/index-1/custom-security-toolbox-container-for-post-build-tests.md)
* [🔄 Dependency Updates — Renovate, Dependabot, Cadence, Controlled Rollout, and Compatibility Testing](/devsecops-cicd-and-supply-chain/index-1/dependency-updates-renovate-dependabot-cadence-controlled-rollout-and-compatibility-testing.md)

### Cross-links

* [🔐 Repository Secret Scanning](/application-security-and-secure-sdlc/index-1/repository-secret-scanning.md)
* [☁️ Infrastructure and Cloud Security](/cloud-kubernetes-and-infrastructure-security/index.md)
* [🪪 Identity and Platform Access](/architecture-api-crypto-and-identity/index-2.md)
* [🔌 Third-Party and Integration Security](/devsecops-cicd-and-supply-chain/index-2.md)

***

*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/devsecops-cicd-and-supply-chain/index-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.