Skip to content

Implementation Roadmap

You can't harden everything at once. Prioritize controls by risk and audit value.

Phased Rollout

Follow the 12-week timeline to avoid disrupting existing workflows. Skip phases at your own risk.

Three-month plan from foundation to full enforcement.

Month 1: Foundation

Goal: Core enforcement in place. Evidence collection begins.

Week 1: Branch Protection

Tasks:

  • Enable branch protection on main and production branches
  • Require 1+ approving reviews
  • Enable enforce_admins
  • Require linear history

Validation:

gh api repos/org/repo/branches/main/protection \
  | jq '{reviews: .required_pull_request_reviews, admins: .enforce_admins}'

Documentation: Update CONTRIBUTING.md with review requirements.

Week 2: CI/CD Status Checks

Tasks:

  • Create required-checks.yml workflow (tests, lint)
  • Configure branch protection to require checks
  • Test on non-critical repository first

Workflow:

name: Required Checks
on: [pull_request]
jobs:
  tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: make test
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: make lint

Validation: Open PR, verify checks block merge until passing.

Week 3: GitHub App Setup

Tasks:

  • Create GitHub App for automation (see Setup Guide)
  • Configure permissions (releases, PRs, contents)
  • Generate and store private key in secrets
  • Replace first PAT usage in workflows

Validation:

- name: Test app token
  uses: actions/create-github-app-token@v2
  with:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.PRIVATE_KEY }}

Migration tracking: Document remaining PAT usages for month 2.

Week 4: Evidence Archive

Tasks:

  • Set up GCS bucket with lifecycle policy (3 year retention)
  • Create monthly evidence collection workflow
  • Archive first month's data (branch protection config, merged PRs)

Workflow:

name: Monthly Evidence
on:
  schedule:
    - cron: '0 0 1 * *'
jobs:
  archive:
    runs-on: ubuntu-latest
    steps:
      - run: gh api repos/org/repo/branches/main/protection > config.json
      - run: gsutil cp *.json gs://audit-evidence/

Validation: Verify files appear in GCS bucket.

Month 2: Hardening

Goal: Add secrets detection, commit signing, and SBOM generation.

Week 5: Secrets Detection

Tasks:

  • Add TruffleHog to .pre-commit-config.yaml
  • Deploy pre-commit config to all repositories
  • Add secrets scan to CI workflow
  • Document bypass procedure (--no-verify tracking)

Pre-commit hook:

repos:
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.63.0
    hooks:
      - id: trufflehog
        entry: trufflehog filesystem --fail --no-update

Validation: Attempt to commit AWS key, verify block.

See Pre-commit Security Gates for full implementation.

Week 6: Signed Commits

Tasks:

  • Generate GPG keys for core team
  • Add public keys to GitHub
  • Configure Git to sign commits automatically
  • Enable required_signatures on protected branches

Configuration:

git config --global user.signingkey YOUR_GPG_KEY_ID
git config --global commit.gpgsign true

Validation:

git log --show-signature | grep "Good signature"

See Commit Signing for setup guide.

Week 7: SBOM Generation

Tasks:

  • Add Syft/Trivy to build pipelines
  • Generate SBOM for each container build
  • Upload SBOMs to artifact storage
  • Verify license compliance (no GPL in proprietary code)

Workflow:

- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    image: app:${{ github.sha }}
    format: cyclonedx-json
    output-file: sbom.json

- name: Upload SBOM
  uses: actions/upload-artifact@v4
  with:
    name: sbom
    path: sbom.json

Validation: Download artifact, verify SBOM contains expected dependencies.

See SBOM Generation for full implementation.

Week 8: Complete PAT Migration

Tasks:

  • Audit all remaining PAT usages (grep -r GITHUB_TOKEN .github/)
  • Create additional GitHub Apps for specific use cases
  • Replace all PATs with app tokens
  • Revoke old PATs

Validation: No PATs referenced in active workflows.

Month 3: Validation & Policy-as-Code

Goal: Simulate audit, fix gaps, add runtime enforcement.

Week 9: Vulnerability Scanning

Tasks:

  • Add Trivy/Grype container scanning to CI
  • Set severity threshold (HIGH/CRITICAL block merge)
  • Configure vulnerability database auto-update

Workflow:

- name: Scan container
  run: |
    trivy image --severity HIGH,CRITICAL --exit-code 1 \
      gcr.io/project/app:${{ github.sha }}

Validation: Introduce test vulnerability, verify build fails.

See Zero-Vulnerability Pipelines.

Week 10: Policy-as-Code (Kyverno)

Tasks:

  • Deploy Kyverno to Kubernetes clusters
  • Install Policy Reporter for observability
  • Implement core policies (resource limits, image sources, labels)
  • Configure audit mode first, then enforcement mode

Core policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-resource-limits
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-limits
      match:
        resources:
          kinds: [Pod]
      validate:
        message: "CPU and memory limits required"
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    memory: "?*"
                    cpu: "?*"

Validation: Deploy pod without limits, verify rejection.

See Policy-as-Code with Kyverno for end-to-end implementation.

Week 11: Audit Simulation

Tasks:

  • Pull evidence like an auditor would (API queries for March data)
  • Generate summary report (PR reviews, check results, signed commits)
  • Identify gaps in evidence or controls
  • Document findings and remediation plan

Simulation script:

# Verify branch protection
gh api repos/org/repo/branches/main/protection

# Sample March PRs
gh api 'repos/org/repo/pulls?state=closed&base=main' \
  --jq '.[] | select(.merged_at | startswith("2025-03"))'

# Check signature coverage
./scripts/signature-coverage.sh 2025-03-01 2025-04-01

Validation: Evidence collection succeeds for sampled period.

Week 12: Remediation & Runbook

Tasks:

  • Fix gaps identified in simulation
  • Create runbook for responding to audit requests
  • Train team on SDLC controls (why they exist, how to use them)
  • Document exception processes (emergency bypass, post-review)

Runbook sections:

  • How to retrieve branch protection evidence
  • How to query PR review history
  • How to generate compliance reports
  • Exception request template
  • Bypass logging procedure

Validation: Team can retrieve evidence without assistance.

Next Steps

  • Execution Guide - Progress tracking, audit readiness criteria, rollback planning, cost estimation, success metrics

Week 1: Protection enabled. Week 4: Evidence collected. Week 12: Audit simulation passed. Controls enforced. System hardened.

Comments