Signed promotion first. Admission control second. Evidence emission everywhere.
The boundary was solid. The pipeline shipping into it was not.
This is a redacted write-up of a real engagement: a HIPAA CI/CD pipeline overhaul for an AI SaaS vendor, the third engagement after a FedRAMP boundary build and a Kubernetes migration.
After the FedRAMP authorization architecture shipped and the Kubernetes migration brought the production workload onto EKS, the team turned to a problem they had been deferring: the HIPAA-side CI/CD pipeline still ran on patterns inherited from before either of the previous engagements.
The pipeline produced container images, ran tests, and pushed to ECR. But:
The team understood the gaps. The next HITRUST i1 cycle was on the calendar, and the prior boundary review had flagged the pipeline as a known risk. The scope was clear: rebuild the pipeline so HIPAA controls are enforced structurally, not by human discipline, and produce evidence that survives the audit window.
Three architectural commitments shaped the rebuild. Every artifact reaching production must carry a cryptographic provenance chain from source commit through admission. The cluster itself must reject any workload that fails policy, with the rejection logged as evidence. And every gate decision, scan result, and admission verdict must emit to a write-once store that outlives the deploy that produced it.
βββββ GitHub Actions Workflow (HIPAA build) ββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββββββ ββββββββββββββββ ββββββββββββββ ββββββββββββββββ ββββββββββββ β
β β Lint ββββΆβ Build & ββββΆβ Security ββββΆβ Sign ββββΆβ Push β β
β β + Test β β SBOM β β Scan β β (Cosign) β β to ECR β β
β ββββββ¬βββββ β (Syft) β β (Trivy + β β + Attest β ββββββ¬ββββββ β
β β ββββββββ¬ββββββββ β Semgrep) β ββββββββ¬ββββββββ β β
β β β ββββββββ¬ββββββ β β β
β ββββββββββββββββββ΄ββββββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββ β
β β β
β Evidence: each step β
β emits to S3 (Object Lock 7yr) β
ββββββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββ
β EKS Cluster (HIPAA workloads) β
β β
β ββββββββββββββββββββββββββββββ β
β β OPA Gatekeeper Admission β β
β β - Verify Cosign signature β β
β β - Check SBOM presence β β
β β - Reject unsigned images β β
β β - Log admission verdict β β
β ββββββββββββββββββββββββββββββ β
β β
β Pod β Service β Production β
ββββββββββββββββββββββββββββββββββββ
β
βΌ
All decisions β Evidence stream
(Athena queryable, retention-locked)
Because the FedRAMP boundary and the Kubernetes platform had already shipped, this work inherited their identity, KMS topology, logging architecture, and network segmentation. It slotted into that infrastructure rather than introducing parallel patterns.
Reusable GitHub Actions workflow. Versioned, called by reference rather than duplicated. It runs the security gates, signs artifacts, enforces SBOM generation, and emits evidence. New services adopting the platform inherit the controls by calling the workflow.
Cosign signing infrastructure. Keys in AWS KMS inside the FedRAMP boundary, signing identity federated from the existing IdP via OIDC. No long-lived signing credentials anywhere. The signature includes SLSA Level 3 provenance.
OPA Gatekeeper admission policies. Reject any image without a valid Cosign signature. Reject events are logged with full context (image, signature attempted, policy that rejected, time, namespace) to the evidence stream. Engineers cannot bypass admission because the cluster refuses to schedule workloads that fail policy.
Centralized evidence pipeline. The same evidence bucket from the FedRAMP engagement, extended with HIPAA-specific streams: signed artifact emissions, admission decisions, scan results, SBOM publications. Athena query layer over the top. The Splunk SIEM connection from the prior work continues to consume the stream through the same cross-account read role.
Audit query interface. Pre-built Athena queries for the questions HITRUST i1 assessors ask most: which images reached production with valid signatures over a date range, which deployments added new dependencies, which admission events were rejected, which SBOMs contain a specific vulnerable component. Seconds, not reconstruction work.
"Hired Lucas to overhaul our CI/CD pipelines in a HIPAA environment and he absolutely delivered. He rebuilt our pipelines with proper artifact promotion, added security scanning, and tightened up our deployment process so we're now both faster and more compliant. Deployment time dropped significantly and the audit trail is now clean."
Ryan S., CTO @ AI SaaS
| Outcome | |
|---|---|
| 100% | |
| production images signed with verifiable provenance | |
| 7 yr | |
| evidence retention with cryptographic integrity | |
| 0 | |
| findings on the post-rebuild HITRUST i1 readiness review for pipeline-related controls |
The rebuild closed every gap flagged during the prior boundary review related to CI/CD architecture. The team has since adopted the reusable workflow across additional repos, so each new service inherits the controls by calling the workflow rather than rebuilding them. The pattern compounds rather than ages.
Inheriting the boundary from prior work. The signing keys live in the KMS topology from the FedRAMP engagement. The evidence bucket is the same one the boundary review created. Multi-engagement relationships compound when each new engagement extends the prior architecture instead of running alongside it.
Admission control as the enforcement layer. Signing is only as strong as the verification at the consumption point. OPA Gatekeeper at admission time is what makes the signing meaningful: the cluster refuses to schedule unsigned images, and the refusal is logged. Engineers cannot bypass the control by writing a different pipeline, because the cluster refuses what the pipeline does not produce.
Reusable workflow as the compliance contract. Publishing the pipeline as a reusable workflow turns it from a per-repo template into an organization-level artifact. New services inherit the controls by calling it. The compliance contract becomes a property of the platform, not a discipline the team has to remember to apply.
Originally published at stonebridgetechsolutions.com.
Stonebridge Tech Solutions builds compliance-grade cloud infrastructure for healthcare and defense teams. If you want a rough read on your own control count and first-cycle audit cost, the scope estimator takes about two minutes.