GitOps – How to pass SoC audit?
We are in the middle of a SOC audit and over the last year have migrated most of our apps to docker/k8s/cloud. The auditors are asking how we know that a devops person (who does the merging, which then kicks off the automation to deploy to prod) couldn't push some code to skim pennies or whatever. The devops peeps have access to the codebases to do the merges since we still have humans in the mix to bless/approve stuff to go to prod (and also because the jenkinsfile and dockerfiles are in there). We have a bunch of pull-request minded settings in GH, and protected branches, but really it comes down to the devops users only touch a subset of the files in the repo (the non-code ones), and the developers touch the code. Has anyone had any experience satisfying auditors? They appear to have never seen anything like this before and there's got to be more people who are audited who are doing devops, right?
No comments yet.