CI/CD and Software Supply Chain Security
Section focus: CI/CD and Software Supply Chain Security.
Best use: start with the section map below, then move into the deeper pages that match your role or stack.
Design note: this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing.
Start with these pages
| Page | Why open it first |
|---|---|
| GitLab CI YAML Deep Dive | High-value page inside CI/CD and Software Supply Chain Security. |
| Security Quality Gates and Release Blocking | High-value page inside CI/CD and Software Supply Chain Security. |
| Runner Isolation and Trust Boundaries | High-value page inside CI/CD and Software Supply Chain Security. |
| Protected Environments and Deployment Approvals | High-value page inside CI/CD and Software Supply Chain Security. |
| Reusable GitLab Includes and Components | High-value page inside CI/CD and Software Supply Chain Security. |
| Gate Aggregation Scripts | High-value page inside CI/CD and Software Supply Chain Security. |
| GitLab Release Evidence | High-value page inside CI/CD and Software Supply Chain Security. |
| Argo CD AppProject and Sync Windows | High-value page inside CI/CD and Software Supply Chain Security. |
| ๐ฆ SonarQube CI, PR Analysis, Quality Gates, and External Issues | Modern CI pattern for new-code gating, SARIF-aware aggregation, and practical Sonar workflows. |
| ๐ฃ๏ธ Commit to Deployment Security Control Plane | End-to-end map of repository, pipeline, runner, secret, provenance, and release controls. |
| ๐ฆ Release Governance โ Security Sign-Off, Quality Gates, Acceptance Criteria, and Escalation | Turns release sign-off into an evidence-backed governance flow with blocking rules and escalation paths. |
| ๐งฑ Secure Build Factory / Artifact Signing / Deployment Approval Evidence Pack | High-value page for auditable build integrity, signing, provenance, and promotion evidence. |
| ๐งฐ Custom Security Toolbox Container for Post-Build Tests | Demonstrates how to bundle several scanners into one reproducible post-build container image. |
Related sections
- SonarQube PR analysis, CI quality-gate waiting, and external-issue ingestion
- DefectDojo integrations and secret scanning gates
- cross-links into new identity, detection, and third-party trust sections
Intro: The release system is a security boundary. This section covers the control plane around pipelines, runners, approvals, release evidence, secret scanning, and the ways teams make security decisions in the flow of delivery.
What this page includes
- GitLab pipeline structure and reusable components
- quality gates, release evidence, and approvals
๐ฆ Core pages in this section
- GitLab CI YAML Deep Dive
- Security Quality Gates and Release Blocking
- Runner Isolation and Trust Boundaries
- Protected Environments and Deployment Approvals
- Reusable GitLab Includes and Components
- Gate Aggregation Scripts
- GitLab Release Evidence
- Argo CD AppProject and Sync Windows
- DefectDojo Integration Patterns
- GitLab System Security Baseline
- ๐งพ Repository Governance โ CODEOWNERS, SECURITY.md, and Default Files
- ๐ Secret Scanning in Quality Gates
- ๐ฑ Mobile Testing Quality Gates and DefectDojo Integration
- ๐ท๏ธ OWASP ZAP in the Real World: Tuning, Reports, and Quality Gates
- ๐ OWASP ZAP Authenticated Scanning and Session Management
- ๐งญ OWASP ZAP and DAST Modernization Patterns
- ๐งช OWASP ZAP for APIs, Automation Framework, and OAST โ Modern Practice
- ๐ฆ GitLab Top 10 Misconfigurations
- ๐ฆ Software Supply Chain Foundations
- ๐งพ SCA, SBOM, and Supply Chain Tooling โ Legacy vs Current
- โ๏ธ Signing, Attestation, and Verification โ Legacy vs Current
- ๐ Chainloop and Supply Chain Evidence
- ๐งฐ Jenkins Server Security Hardening and Top 10 Issues
- ๐ GitHub Actions for Product Security
- ๐ฆ Local Artifact Repository Scanning and JFrog Xray
- ๐๏ธ Harbor Registry Hardening
- ๐ Self-Hosted Runners Security Review Pack
- ๐ฆ GitLab CI/CD Modern Security Patterns
- ๐ค Security Automation Controllers โ AWX, Jenkins, and Rundeck Patterns
- ๐ฆ SonarQube CI, PR Analysis, Quality Gates, and External Issues
- ๐ฃ๏ธ Commit to Deployment Security Control Plane
- ๐ฆ Release Governance โ Security Sign-Off, Quality Gates, Acceptance Criteria, and Escalation
- ๐งฑ Secure Build Factory / Artifact Signing / Deployment Approval Evidence Pack
- ๐งฐ Custom Security Toolbox Container for Post-Build Tests
- ๐ Dependency Updates โ Renovate, Dependabot, Cadence, Controlled Rollout, and Compatibility Testing
Cross-links
- ๐ Repository Secret Scanning
- โ๏ธ Infrastructure and Cloud Security
- ๐ชช Identity and Platform Access
- ๐ Third-Party and Integration Security
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.