This application was built, scanned, signed, deployed, and tested by a 6-phase compliance-enabling CI/CD pipeline. Every commit triggers automated security checks across ten tools. Every release produces tamper-evident audit evidence mapped to DORA, NIS2, ISO 27001, SOC 2, and GDPR.
What you see below is not theory. It is the production pipeline that delivered this very webpage — documented in detail, end to end. Click anything to explore.
CyberForge built this pipeline as a working reference implementation of a compliance-enabling secure software supply chain.
The pipeline takes a Node.js application and runs it through six sequential phases. Each phase produces machine-readable evidence.
The pipeline is designed for three audiences:
The implementation uses GitHub Actions, Azure, and ten open-source security tools. Total monthly cost: ~$18–23 USD. Total static secrets: zero.
Three forces converged in 2024-2025 to make secure software supply chains a hard requirement.
DORA (Digital Operational Resilience Act) — Regulation EU 2022/2554, in force since January 17, 2025. Article 16 mandates an ICT risk management framework. Article 19 sets a 4-hour initial notification clock for major incidents.
NIS2 — Directive EU 2022/2555. Article 21 lists ten security measures. Penalties reach 2% of global annual turnover.
The threat is no longer theoretical. Recent incidents have made the build pipeline itself the high-value target:
Vendor security questionnaires now include 200+ questions. Companies without evidence packs lose 6–12 weeks per deal.
The pipeline implements a zero-trust supply chain. Click any phase below to see what happens inside it.
Click any tool card to expand its full description, configuration, and gate behaviour.
Each tool covers a different threat surface. The bars below show their typical detection breadth.
Traditional CI/CD stores a long-lived service principal secret. OIDC eliminates it.
pull_request subject uses an underscore, not a hyphen.
When DAST detects a HIGH/CRITICAL finding, the workflow auto-creates a GitHub Issue with this exact SLA.
Submit within 4 hours of classification (or 24 hours from awareness — whichever first). Incident reference, affected services, classification thresholds, EU member states involved.
Updated classification, investigation progress, preliminary root cause, recovery status, external forensics if engaged.
Complete timeline, root cause analysis, final impact, lessons learned, remediation plan, evidence of actions taken.
| Article | Requirement | Pipeline Coverage |
|---|---|---|
| Art. 16.1.a | Documented ICT risk management framework | OPA policies, risk register, security gates, evidence pack |
| Art. 16.1.c | System-update and patching procedures | Trivy SCA, Renovate config, vulnerability management policy |
| Art. 16.1.d | Anomaly detection | Azure Monitor alerts, DAST auto-incident workflow |
| Art. 28 | ICT third-party / supply-chain risk | SBOM, Cosign signing, SLSA provenance, vendor risk register |
| Article | Requirement | Pipeline Coverage |
|---|---|---|
| Art. 21.2.b | Incident handling | Incident runbook, ICT issue template, DAST auto-incident with SLAs |
| Art. 21.2.d | Supply chain security | SBOM, signed image attestations, provenance, dependency scanning |
| Art. 21.2.e | Secure SDLC and acquisition | All Phase 1+2 controls — SAST, SCA, container scanning, mandatory code review |
| Art. 21.2.h | Cryptography policies | Cosign keyless signing, OIDC federation, TLS 1.2 minimum |
| Control | Title | Pipeline Evidence |
|---|---|---|
| A.8.4 | Access to source code | Branch protection, CODEOWNERS, signed commits, SHA256 manifest |
| A.8.9 | Configuration management | Terraform IaC, all infrastructure versioned, change tracked via PRs |
| A.8.25 | Secure development life cycle | Phases 1–6, OPA policies, security gates, mandatory test coverage |
| A.8.28 | Secure coding | CodeQL semantic analysis, MegaLinter, ZAP runtime testing |
| Criterion | Description | Pipeline Evidence |
|---|---|---|
| CC6.1 | Logical access controls | OIDC federation, branch protection, GitHub environment approvals, RBAC |
| CC7.1 | System monitoring | Log Analytics, Azure Monitor alerts, DAST findings, OPA evidence-completeness |
| CC8.1 | Change management | Git PRs, signed commits, branch protection 2 approvals, Terraform plans archived |
| PI1.1 | Processing integrity | Cosign signatures verifiable post-deploy, SHA256 manifest, OPA deployment-gate |
| Article | Requirement | Pipeline Evidence |
|---|---|---|
| Art. 5.1.c | Data minimisation | PII scanner blocks PESEL/phone/email; logs sanitised before archival |
| Art. 5.1.e | Storage limitation | Lifecycle deletes evidence after retention; deletion-schedule OPA policy |
| Art. 25 | Data protection by design | PII scanner, data-flow diagram, sanitisation, secure infra by default |
| Art. 28 | Processor / sub-processor | DPA compliance check tracking nine processors with status |
| Art. 30 | Records of processing | Data flow diagram, evidence pack metadata, vendor risk register |
$200 free credit covers ~30 days. Container Apps consumption scales to zero when idle.
| Resource | SKU | Purpose | Monthly (idle) |
|---|---|---|---|
| Azure Container Registry | Basic | Stores signed application images | ~$5.00 |
| Container Apps Environment | Consumption | Hosts the running app, scales to zero | ~$0–3 |
| Log Analytics Workspace | PerGB2018 | Container app logs, alert queries | ~$0.50 |
| Key Vault | Standard, RBAC + purge | Reserved for future runtime secrets | ~$0.00 |
| Storage Account (evidence) | LRS, blob versioning, WORM | Evidence pack archive (5-year retention) | ~$0.50 |
| Storage Account (tfstate) | LRS | Terraform remote state | ~$0.10 |
| Resource Group lock | CanNotDelete | Prevents accidental teardown | $0 |
Total: $6–8 idle, $18–23 active. Budget alert at 50/80/100%.
Filter or search. This is the table auditors scroll to first.
| Control | Tool | Phase | Evidence |
|---|---|---|---|
| Secret detection in commits | TruffleHog | 1 | security-report.json |
| IaC misconfiguration scanning | Checkov | 1 | checkov-results.sarif |
| Multi-language code quality | MegaLinter | 1 | workflow logs |
| Commit signature verification | github-script | 1 | workflow logs |
| PII pattern detection | regex | 1 | workflow logs |
| Dependency CVE scanning | Trivy fs | 2 | trivy-sca-results.json |
| SAST | CodeQL | 2 | codeql/javascript.sarif |
| Test coverage gate (≥80%) | Jest | 2 | coverage-summary.json |
| Container image build | Docker buildx | 2 | image digest |
| Container image CVE scan | Trivy image | 2 | trivy-image-results.json |
| Software Bill of Materials | Syft | 2 | sbom.cyclonedx.json |
| Image signing (keyless) | Cosign | 3 | cosign-verification.log |
| SBOM attestation | Cosign attest | 3 | OCI referrer |
| SLSA build provenance | attest-build-provenance | 3 | provenance.intoto.jsonl |
| OIDC authentication to cloud | azure/login | 4 | workflow logs |
| Pre-deploy signature verification | cosign verify | 4 | cosign-verification.log |
| Infrastructure-as-code apply | Terraform | 4 | terraform plan output |
| Health check after deploy | curl smoke test | 4 | workflow logs |
| Runtime vulnerability scanning | OWASP ZAP | 5 | zap-report.json |
| Auto-incident on critical findings | github-script | 5 | GitHub issue |
| PII sanitisation in logs | sanitize-logs.sh | 6 | sanitised artifacts |
| SHA256 integrity manifest | find + sha256sum | 6 | manifest.sha256 |
| Compliance matrix generation | generate-compliance-matrix.sh | 6 | compliance-matrix.json |
| HTML evidence report | generate-html-report.sh | 6 | evidence-report.html |
| WORM evidence archive | az storage blob upload | 6 | blob URI |
The buttons below make real HTTP calls. First request after idle takes 30–60s (cold start).
Checking...
Checking...
Cosign-signed via GitHub OIDC + Sigstore Fulcio
Zero static secrets — OIDC federated
Everything above is just words. Below is the verifiable proof. The image digest, signing certificate, and Rekor entry are all public — anyone can independently confirm this deployment came from the pipeline described above.
loading...
loading...
loading...
loading...
loading...
loading...
Copy and run this exact command in a terminal with cosign installed. It validates the signature against the certificate identity and confirms the image at that digest was signed by this exact pipeline.
The SBOM is attached to the image as a signed Sigstore attestation. To download:
These three links lead to permanent, publicly auditable records:
If a SOC 2 Type I auditor or ISO 27001 certifier asked for evidence today:
Pipeline-run.json contains commit SHA, author, timestamp, image digest, and gate results — combined with GitHub PR history, that's an unbroken chain from human to running container.
cosign-verification.log proves the signature is valid; certificate identity ties it to this repo at this commit; Rekor transparency log makes it publicly auditable.
SHA256 manifest + WORM Blob storage = no one (including Azure subscription owners) can modify the archive within 1825 days.
Every push to main produces a new evidence pack. The list of packs IS the release audit trail.
compliance-matrix.json maps every artifact to specific articles. Generated automatically; auditable in source.
CyberForge delivers this in four service tiers.
Read-only assessment. Identifies highest-impact gaps, prioritised hardening plan.
OIDC federation, SHA pinning, runner isolation, dependency scanning, basic gates.
Full pipeline. SBOM, signing, attestation, evidence archival, audit-ready documentation.
Continuous monitoring, drift detection, dependency updates, audit support.
CyberForge differentiates by implementation, not assessment. The deliverable is code, infrastructure, and evidence — not a slide deck.