🗺️ Diagram Index

• GitLab Pipeline Control Plane
• Security Quality Gates Flow
• Runner Isolation and Trust Boundaries
• Protected Environments and Approvals
• GitLab Components and Includes
• Release Evidence Chain
• DefectDojo and ASPM Overview
• DefectDojo Integration Flow
• assets/diagrams/asoc-aspm-evolution.svg — evolution from orchestration-first ASOC to posture-first ASPM
• assets/diagrams/product-security-director-metrics.svg — three-bucket leadership dashboard view
• assets/diagrams/zap-dast-flow.svg — ZAP DAST flow
• assets/diagrams/linux-express-audit-flow.svg — Linux express audit flow
• assets/diagrams/cloud-attack-chain-overview.svg — cross-cloud attack chain overview
• assets/diagrams/aws-cloud-attack-chain.svg — AWS provider-specific attack chain
• assets/diagrams/azure-cloud-attack-chain.svg — Azure provider-specific attack chain
• assets/diagrams/gcp-cloud-attack-chain.svg — GCP provider-specific attack chain
• assets/diagrams/k8s-runtime-investigation-flow.svg — runtime investigation workflow for Kubernetes and containers

New diagrams in v2.1

• assets/diagrams/detection-engineering-flow.svg — how threat modeling becomes logs, detections, and playbooks
• assets/diagrams/secure-architecture-patterns-overview.svg — tenant, service, admin, and cloud-plane trust boundaries
• assets/diagrams/workload-federation-and-platform-access.svg — pipeline to federation to cloud-role flow
• assets/diagrams/frontend-trust-boundary.svg — browser, frontend, BFF, and service trust path
• assets/diagrams/business-logic-abuse-surface.svg — common business-workflow abuse surfaces

v2.2 diagrams

• assets/diagrams/frontend-auth-patterns.svg - browser, BFF, API, IdP, and third-party trust map
• assets/diagrams/business-logic-abuse-lifecycle.svg - incentive-to-loss abuse flow
• assets/diagrams/third-party-integration-trust-boundaries.svg - source, pipeline, runner, and artifact trust path
• assets/diagrams/stack-review-lifecycle.svg - design-to-observe review loop
• assets/diagrams/learning-labs-feedback-loop.svg - read, practice, debrief, improve

v2.3 diagrams

• assets/diagrams/senior-engineer-decision-loop.svg - advanced design-to-detection-to-scale loop
• assets/diagrams/product-security-operating-model.svg - intake, ownership, decision, and evidence flow
• assets/diagrams/security-program-roadmap.svg - staged capability roadmap for Product Security programs

v2.4 diagrams

• assets/diagrams/leadership-review-cadence.svg - evidence-to-engineering-to-executive-to-board narrative flow
• assets/diagrams/board-narrative-waterfall.svg - board story structure from direction to asks

v2.5 diagrams

• assets/diagrams/newcomer-ramp-up-map.svg - a simple map from beginner confusion to guided paths, glossary, reviews, and labs

• assets/diagrams/review-checklist-loop.svg - read, review, decide, record, and improve loop for newcomer-friendly checklists

• assets/diagrams/mobile-api-compliance-automation-labs-map.svg - map connecting mobile labs, API conformance, compliance learning, and containment automation.

• BSIMM and SAMM Comparison — high-level visual on how to use BSIMM and OWASP SAMM together.

v4.5 diagrams

• assets/diagrams/devopssec-control-loop.svg - control loop for shift-left checks, protected deployment, and runtime feedback
• assets/diagrams/webapp-review-trust-zones.svg - browser, edge, identity, and data/integration review map
• assets/diagrams/security-automation-controller-trust-map.svg - AWX / Jenkins / Rundeck as privileged control planes

v4.6 diagrams

• assets/diagrams/browser-session-trust-zones.svg - browser, identity/BFF, API, and data trust map for session and authorization review
• assets/diagrams/csp-third-party-trust-flow.svg - how CSP, SRI, and script ownership fit into frontend trust decisions
• assets/diagrams/graphql-abuse-controls.svg - schema, resolver, operation-cost, and detection control map for GraphQL