RAISE 2.0 — CI/CD Tools Certification Package

0% Complete

CI/CD Pipeline Tools Certification Submission Package

RAISE 2.0 — Appendix D Certification Request

Memorandum

Subj: REQUEST FOR CI/CD PIPELINE TOOLS CERTIFICATION — SECURE RUNTIME ENVIRONMENT (SRE)

Ref:

(a) Rapid Assess and Incorporate for Software Engineering (RAISE) Implementation Guide, 1 November 2022

(b) Navy Risk Management Framework (RMF) Process Guide

(c) DoD Enterprise DevSecOps Fundamentals, Version 2.5, 16 October 2024

(d) NIST SP 800-53 Rev 5, Security and Privacy Controls

(e) DISA STIG for Kubernetes, Version 2 Release 2

Encl:

(1) CI/CD Pipeline Architecture Diagram

(2) Security Gate Evidence Package

(3) Tool Configuration and Version Inventory

(4) Sample Pipeline Run — Full Artifact Set

(5) Kyverno Admission Control Policy Configuration

1 Purpose & RPOC Identification

In accordance with reference (a), Appendix D, this memorandum requests certification of the Secure Runtime Environment (SRE) CI/CD pipeline tools for usability and functional capability. Upon certification, SRE will meet the requirements for designation as a RAISE Platform of Choice (RPOC).

RPOC Identification
3 RPOC Components
#ComponenteMASS IDEnvironmentDescription
1SRE ProductionProductionRKE2 Kubernetes cluster hosting tenant applications
2SRE StagingStagingPre-production validation environment
3SRE DevelopmentDevelopmentDevelopment and testing environment
4SRE CI/CD ToolsSharedPipeline tools, artifact storage, signing infrastructure

Kubernetes Distribution: RKE2 v1.34.4 (DISA STIG-certified, FIPS 140-2 compliant)

Operating System: Rocky Linux 9.7 (DISA STIG-hardened, SELinux enforcing, FIPS enabled)

GitOps Engine: Flux CD v2.8.1

4 CI/CD Pipeline Tools — Security Gates

Per reference (a), Section 3.2, the following tools implement the 8 required RAISE security gates. Click any card to expand details.

1

SAST — Static Analysis

Semgrep OSS v1.102.0
LicenseLGPL-2.1
Sourcegithub.com/semgrep/semgrep
Rulesetsp/owasp-top-ten, p/security-audit
OutputSARIF JSON → GitHub Security tab
Fail CriteriaERROR-level findings → pipeline stops
NIST ControlsSA-11 SA-15
2

SBOM — Software Bill of Materials

Syft v1.18.1
LicenseApache-2.0
Sourcegithub.com/anchore/syft
FormatsSPDX 2.3 JSON + CycloneDX 1.5 JSON
Outputsbom-spdx.json + sbom-cyclonedx.json
Fail CriteriaGeneration failure → pipeline stops
NIST ControlsCM-2 CM-8 SA-17
3

Secrets Detection

Gitleaks v8.21.2
LicenseMIT
Sourcegithub.com/gitleaks/gitleaks
ScopeFull git history + working directory
Outputsecrets-report.json
Fail CriteriaAny secret detected → pipeline stops, credential rotation required
NIST ControlsIA-5 SC-28
4

Container Security Scan

Trivy v0.58.2
LicenseApache-2.0
Sourcegithub.com/aquasecurity/trivy
Scan ScopeOS packages, language deps, misconfigurations
OutputSARIF JSON → GitHub Security tab + Harbor
Fail CriteriaCRITICAL CVE findings → pipeline stops
NIST ControlsRA-5 SI-2
5

DAST — Dynamic Analysis

OWASP ZAP v2.15.0
LicenseApache-2.0
Sourcegithub.com/zaproxy/zaproxy
Scan TypeBaseline scan against running application
Outputzap-report.html + zap-report.json
Fail CriteriaHIGH-risk alerts flagged for remediation per SLA
NIST ControlsSA-11 SI-10
6

ISSM Review — Human Approval

GitHub Environments
TypeManual gate (human-in-the-loop)
Environmentissm-review (GitHub Environment)
ReviewersISSM + Security Team (required)
ReviewsAll Phase 1 scan artifacts
Fail CriteriaISSM rejects → pipeline stops
NIST ControlsCA-2 CA-7
7

Image Signing

Cosign (Sigstore) v2.4.1
LicenseApache-2.0
Sourcegithub.com/sigstore/cosign
SigningPrivate key (stored in GitHub Secrets)
AttestationsSBOM (in-toto), SLSA provenance (v0.2)
VerificationKyverno admission policy verifies at deploy time
Fail CriteriaSigning failure → image not deployable (Kyverno blocks)
NIST ControlsSI-7 SA-10
8

Artifact Repository

Harbor v1.16.3
LicenseApache-2.0
Sourcegithub.com/goharbor/harbor
FeaturesOCI registry, Trivy re-scan on push, signature storage
StoresImages, SBOM artifacts, Cosign signatures, SLSA provenance
Fail CriteriaPush failure → image not available for deployment
NIST ControlsCM-8 SI-7
4b Supporting Infrastructure
ToolVersionPurposeNIST Controls
GitHub ActionsSaaSCI/CD pipeline orchestration (primary)SA-10 AU-2
GitLab CISaaSCI/CD pipeline orchestration (alternative)SA-10 AU-2
Flux CD2.8.1GitOps continuous deployment engineCM-2 CM-3 SA-10
Kyverno3.xKubernetes admission control — signature verificationSI-7 CM-7
NeuVector5.xRuntime container security monitoringSI-3 SI-4 IR-4
Docker Buildx0.18.xMulti-platform container image buildsSA-10
5 Pipeline Architecture

The CI/CD pipeline implements all 8 RAISE security gates in four phases:

1
Build & Scan Automated — CI Runner
G3

Gitleaks — Secrets Detection

Scan full git history + working directory

↳ secrets-report.json
G1

Semgrep — SAST Scan

Rulesets: p/owasp-top-ten, p/security-audit

↳ semgrep.sarif → GitHub Security tab

Docker Buildx — Build Container Image

Multi-platform OCI image build

G4

Trivy — Container Vulnerability Scan

OS packages, language deps, misconfigurations

↳ trivy.sarif → GitHub Security tab
G2

Syft — Generate SBOM

SPDX 2.3 + CycloneDX 1.5 formats

↳ sbom-spdx.json + sbom-cyclonedx.json
2
ISSM Review Manual — Human Approval
G6

ISSM Reviews All Phase 1 Artifacts

GitHub Environment: issm-review — Required reviewers: ISSM + Security Team

3
Sign & Push Automated — Post-Approval
G8

Harbor — Push Image to OCI Registry

Trivy re-scan on push (Harbor-side verification)

G7

Cosign — Sign Image + Attach Attestations

SBOM attestation (in-toto) + SLSA provenance

Flux CD — Update GitOps Repo

Auto-deploy — Kyverno verifies Cosign signature at admission

4
Post-Deploy Automated — Against Running App
G5

OWASP ZAP — DAST Baseline Scan

Dynamic testing against running application

↳ zap-report.html + zap-report.json
6 Admission Control — Supply Chain Verification

After the CI/CD pipeline produces a signed image, the Kubernetes cluster enforces supply chain integrity at admission:

1. Kyverno verify-image-signatures — Verifies every pod's image has a valid Cosign signature from the pipeline's signing key before allowing creation

2. Kyverno restrict-image-registries — Only images from harbor.sre.internal are permitted

3. Kyverno disallow-latest-tag — All images must use pinned version tags

4. Harbor Trivy scan — Images are re-scanned on push as a second layer of verification

This ensures that only images that passed all 8 security gates can run on the platform.

7 Artifacts Produced Per Release
ArtifactFormatStorage LocationRetention
SAST ReportSARIF JSONGitHub Security tab90 days
Secrets ScanJSONCI/CD artifacts90 days
Container ScanSARIF JSONGitHub Security + Harbor90 days
SBOM (SPDX)SPDX 2.3 JSONHarbor OCI artifactImage lifetime
SBOM (CycloneDX)CycloneDX 1.5 JSONHarbor OCI artifactImage lifetime
DAST ReportHTML + JSONCI/CD artifacts90 days
Image SignatureCosign OCI signatureHarbor OCI artifactImage lifetime
SBOM AttestationIn-toto / Cosign attestationHarbor OCI artifactImage lifetime
SLSA ProvenanceSLSA v0.2 / In-toto v0.1Harbor OCI artifactImage lifetime
ISSM Approval RecordGitHub Environment logGitHub audit logIndefinite
Pipeline Run LogGitHub Actions logGitHub90 days
8 Fail Criteria & Enforcement
GateFail ConditionEnforcement
GATE 1Semgrep ERROR findingsPipeline aborts, no image built
GATE 2SBOM generation failsPipeline aborts, no image pushed
GATE 3Any secret detectedPipeline aborts, credential rotation required
GATE 4CRITICAL CVE in imagePipeline aborts, base image update required
GATE 5HIGH-risk DAST alertsFinding tracked, remediation required per SLA
GATE 6ISSM rejectsPipeline aborts, developer fixes and resubmits
GATE 7Signing failureImage not deployable (Kyverno blocks unsigned)
GATE 8Push failureImage not available for deployment
9 Evidence Package (Enclosures)
Enclosure (1): Pipeline Architecture
Pipeline workflow files: ci/github-actions/build-scan-deploy.yaml
GitLab CI equivalent: ci/gitlab-ci/build-scan-deploy.gitlab-ci.yml
DAST workflow: ci/github-actions/dast-scan.yaml
GitOps update workflow: ci/github-actions/update-gitops.yaml
Enclosure (2): Security Gate Evidence
Sample SAST report (Semgrep SARIF output)
Sample secrets scan report (Gitleaks JSON output)
Sample container scan report (Trivy SARIF output)
Sample SBOM (SPDX JSON + CycloneDX JSON)
Sample DAST report (OWASP ZAP HTML output)
Sample ISSM approval log (GitHub Environment deployment log)
Sample signed image verification (cosign verify output)
Enclosure (3): Tool Inventory
Complete tool listing with versions, licenses, and download sources (Section 4)
Tool update and patching process documentation
Enclosure (4): Sample Pipeline Run
Complete CI/CD run log showing all 8 gates passing
Artifact download links for all outputs
Timeline showing gate execution sequence
Enclosure (5): Admission Control Configuration
Kyverno verify-image-signatures policy YAML
Kyverno restrict-image-registries policy YAML
Harbor project configuration with Trivy scanning enabled
cosign verify command demonstrating signature validation
10 Points of Contact
RoleNameEmailPhone
System Owner
ISSM
ISSO
Lead Engineer
11 Certification Request

I certify that the CI/CD pipeline tools listed in Section 4 have been configured, tested, and validated to implement all 8 RAISE security gates as defined in reference (a). The pipeline enforces automated security scanning, manual ISSM review, cryptographic image signing, and admission control verification for all container images deployed to the SRE platform.

I request the Technical Authority review and certify these tools for use in the SRE RPOC.

RPOC System Owner / ISSM

Signature
Printed Name
Title
Date
Organization

Technical Authority Disposition

CERTIFIED — CI/CD pipeline tools meet RAISE requirements
CERTIFIED WITH CONDITIONS — See comments below
NOT CERTIFIED — See deficiencies below
Comments
Signature
Printed Name
Title
Date
Appendix A: How to Generate Evidence

Run these commands to collect evidence artifacts for the submission package:

Step 1 — Trigger a certification pipeline run
# Run a complete pipeline (triggers all 8 gates) git tag v1.0.0-cert && git push origin v1.0.0-cert
Step 2 — Download artifacts from GitHub Actions run
# After pipeline completes, download artifacts from GitHub Actions run
Step 3 — Verify image signature
cosign verify --key cosign.pub harbor.sre.internal/team-alpha/demo-app:v1.0.0-cert
Step 4 — Verify SBOM attestation
cosign verify-attestation --key cosign.pub \ --type spdxjson harbor.sre.internal/team-alpha/demo-app:v1.0.0-cert
Step 5 — Verify SLSA provenance
cosign verify-attestation --key cosign.pub \ --type slsaprovenance harbor.sre.internal/team-alpha/demo-app:v1.0.0-cert
Step 6 — Export Kyverno admission policy
kubectl get clusterpolicy verify-image-signatures -o yaml
Step 7 — Export image registry restriction policy
kubectl get clusterpolicy restrict-image-registries -o yaml
Step 8 — Export Harbor scan results
# Harbor UI > Project > Repository > Artifacts > View scan results
Step 9 — Export Kyverno policy reports
kubectl get policyreport -A -o yaml > kyverno-policy-reports.yaml kubectl get clusterpolicyreport -o yaml > kyverno-cluster-policy-reports.yaml
Appendix B: Tool Update Process

When a CI/CD tool requires a version update:

1. Test updated tool in the development environment pipeline

2. Verify all 8 gates still function correctly with the new version

3. Update version pin in pipeline workflow files

4. Document the change in the CHANGELOG

5. Notify the ISSM of the tool version change

6. If a tool is being replaced (not just updated), coordinate with the SCA and AO per SLA Section 16