Security¶
The DevOps / GitOps Platform holds the keys to the kingdom — it commits code, builds it, and ships it to production. Its security model is correspondingly strict: every action is authenticated, authorized, tenant-isolated, secret-safe, and audited.
Target Architecture — Final-State Design
The controls below align with the Governance, Security & Compliance Platform, which owns the policy engine and audit ledger this platform integrates with.
Authentication¶
- All API and gRPC calls require an OAuth2 / OpenID Connect bearer token issued by the factory authorization server (
ConnectSoft.AuthorizationServerTemplate). - Agents authenticate as workload identities (client-credentials) with short-lived tokens; humans authenticate interactively via Studio.
- Service-to-service calls and worker message consumption use managed identities (Azure AD) — no static credentials in code or config.
Authorization¶
- Coarse-grained OAuth scopes per bounded context:
devops.repositories.write,devops.pipelines.run,devops.releases.plan,devops.releases.approve,devops.iac.provision, etc. - Fine-grained, attribute-based decisions (tenant, project, environment, module) are evaluated by the Governance policy engine before sensitive actions.
- Segregation of duties —
POST /releases/{releaseId}/approverequires an identity distinct from the release planner; production promotions can require a human approver. - Least privilege: each service holds only the scopes it needs; provisioning and approval are separate roles.
Tenant Isolation¶
- Every request carries a tenant context (
ConnectSoft.Extensions.Saas.AspNetCore); handlers asserttenantIdagainst the operation scope before any store access. - NHibernate global filters enforce
tenantIdat the data layer so no query can cross tenants. - Blob containers, Azure Artifacts feeds, ACR repositories, and Git repositories are namespaced per tenant/project; cross-tenant access is structurally impossible.
Secret Handling¶
- All secrets — Azure DevOps PATs/service connections, registry credentials, cloud provider credentials, signing keys — live in Azure Key Vault, referenced by managed identity at runtime. Nothing is stored in repositories or pipeline YAML.
- Service connections in Azure DevOps are scoped per project and use workload-identity federation where possible, avoiding long-lived secrets.
- Pulumi configuration secrets are encrypted in the Pulumi backend and resolved from Key Vault at apply time.
- Pipeline variables marked secret are masked in logs; generated YAML never inlines a secret value.
- Secret rotation is automated; rotated values propagate via Key Vault references without redeployment.
Supply-Chain Security¶
- Container images are vulnerability-scanned in ACR; images failing the threshold cannot be promoted.
- NuGet packages are restored only from approved Azure Artifacts feeds; published versions are immutable.
- Commits and (where required) tags are signed; pipeline provenance (build → artifact → image) is recorded for SLSA-style attestation.
- GitOps desired state is the only path to production; ad-hoc cluster changes are reverted by reconciliation.
Audit¶
- Every state change emits an envelope-wrapped event with
traceId,tenantId, and actor identity; the Governance Platform records release approvals, promotions, and provisioning in an immutable audit ledger. - Audit records are retained 7 years for releases/approvals (see Storage).
- Human and agent actions are equally attributed and traceable.
Threat Model¶
| Threat | Mitigation |
|---|---|
| Unauthorized deployment to production | Mandatory approval + policy gate; segregation of duties; GitOps-only path |
| Secret leakage in logs/YAML | Key Vault references; secret masking; no inline secrets |
| Cross-tenant data access | Tenant context assertions + NHibernate filters + namespaced stores |
| Compromised dependency / image | Feed allowlists, immutable versions, image scanning, provenance attestation |
| Pipeline tampering | Generated YAML from trusted templates; protected branches; signed commits |
| Drift / unauthorized cluster change | Continuous GitOps reconciliation reverts out-of-band changes |
| Privilege escalation via agent | Workload identities with least-privilege scopes; short-lived tokens |
Pillar Alignment¶
- Governance — policy-gated approvals and an immutable audit ledger.
- Multi-tenant scale — isolation enforced at request, data, and storage layers.
- Traceability — every security-relevant action is an attributed, traceable event.