DevOps & Infrastructure — Security Checklist

CI/CD security, infrastructure hardening, secrets management, and deployment controls.
Org:
Owner:
Date:

1. Governance & Development Environment

  • Documented DevOps Security Policies
    Do you maintain documented security policies governing development and infrastructure operations (environment standards, access controls, deployment procedures)?
  • Accountability for DevOps Security
    Is there a clearly designated person or team accountable for development and infrastructure security (policy maintenance, security reviews)?
  • Development Environment Isolation
    Do you maintain requirements for development environment isolation and separation from production systems?
  • Development Tools Approval
    Do you maintain criteria for evaluating and approving development tools before use (IDEs, extensions, AI usage)?
Notes:

2. Source Code Management

  • Repository Access Control
    Do you maintain access control procedures for source code repositories with role-based permissions?
  • Repository Security Controls
    Do you enforce repository security controls for protected branches (branch protection, commit signing, multi-party review)?
  • Secret Scanning
    Do you maintain procedures for scanning source code for accidentally committed secrets?
  • External Contributor Review
    Do you have procedures for enhanced review of code contributions from external collaborators?
Notes:

3. Dependency & Supply Chain Security

  • Package Verification
    Do you maintain procedures for verifying package authenticity and preventing supply chain attacks (trusted sources, typosquatting detection)?
  • Dependency Vulnerability Management
    Do you maintain procedures for dependency vulnerability management (scanning, version control, periodic audits)?
Notes:

4. CI/CD Pipeline Security

  • Pipeline Change Controls
    Do you require approval controls for modifications to deployment pipelines and build configurations?
  • Secrets Management
    Do you maintain procedures for secure management of pipeline and application secrets?
  • Pipeline Access Controls
    Do you enforce access controls for pipeline execution (service account separation, restricted manual deployment)?
Notes:

5. Infrastructure Security

  • Infrastructure as Code
    Do you maintain requirements for managing infrastructure through code with version control and security review?
  • Infrastructure Access Controls
    Do you maintain procedures for infrastructure access controls (individual accounts, time-limited privileges, break-glass procedures)?
  • Backup and Disaster Recovery
    Do you maintain procedures for backup and disaster recovery with periodic testing?
Notes:

6. Cloud & Vendor Security

  • Cloud Security Monitoring
    Do you maintain procedures for monitoring cloud security configurations and administrative activity?
  • Cloud Provider Notifications
    Do you have procedures for receiving and responding to cloud service provider security notifications?
Notes: