$ stagg-solutions ~ $ cd capabilities/devsecops practice · for-government / 03
CIGitLab self-hosted CDArgoCD · progressive rollout SCOPEConnected · air-gapped · embedded

for-government / 03 / devsecops

Pipelines where the mission demands.

GitOps-driven deployment, signed every step. Air-gapped CI variants that survive DiODE one-way transfer. Embedded firmware to k8s — same scanner gates, same signature chain, same evidence pipeline.

$ scope_engagement ← All practice areas
BUILDHermetic · reproducible
SIGNSigstore · keyless OIDC
SCANSAST · DAST · IaC · SBOM
DEPLOYArgoCD · canary · blue/green
OBSERVEOTel · Prometheus · Loki

$ cat pipeline.txt

The pipeline.

// commit to prod · attested at every step
STAGE 01 Commit & verify Signed commits enforced. Renovate proposes dep bumps. CI runs on protected branches only. git · sigstore · renovate
STAGE 02 Scan SAST, secret-scan, IaC scan, license scan — fail-fast on critical. semgrep · gitleaks · checkov · trivy
STAGE 03 Build & SBOM Hermetic build. SBOM generated. Image signed and attached as attestation. buildkit · syft · cosign
STAGE 04 Test Unit, integration, contract, DAST against ephemeral preview environment. pytest · k6 · zap · playwright
STAGE 05 Policy gate Admission policy verifies signatures, SBOM presence, vuln SLA, control mapping. OPA · kyverno · conftest
STAGE 06 Deploy ArgoCD reconciles. Progressive rollout. Auto-rollback on SLO breach. argocd · argo-rollouts · flagger

$ cat air-gap.txt

Air-gapped CI · DiODE-friendly.

// one-way transfer · no return path
// signed-bundle transfer pattern · low side → high side
Low side (commercial / dev)internet-connected
git push
signed commit · MR review
CI build
BuildKit · hermetic
sign
cosign · keyless OIDC
bundle
oras · artifact.tar + SBOM + attestations
data diode · one-way
High side (cleared)no inbound
ingest
receive bundle
verify sig
cosign verify · Fulcio chain
scan + policy
vuln gate · trivy OPA / kyverno admission reject: unsigned · CVE breach
ArgoCD apply
reconcile from enclave mirror no internet pulls
no inbound from high side · feedback returns out-of-band on its own diode ArgoCD reconciles against a git mirror inside the enclave

$ ls capabilities/devsecops/

What we ship.

// six core capabilities
01

Self-hosted GitLab

SCM + CI

One control plane for source, CI, registry, package, and pages. Runs in-cluster or on-prem. Group-level CI templates reused across every repo.

  • Group CI templates · zero per-repo boilerplate
  • Runners: docker · dind · shell · cleared TS/SCI tier
  • SAML / OIDC federation · PIV at the admin tier
  • Container registry behind cosign verification gate
02

GitOps deployment

ArgoCD

The cluster is whatever git says it is. ArgoCD reconciles continuously. Progressive rollouts with Argo Rollouts or Flagger — analysis on real metrics, auto-rollback on breach.

  • App-of-apps pattern · environments are folders, not branches
  • Canary / blue-green / experiment strategies
  • SLO-driven analysis from Prometheus metrics
  • Auto-rollback on error-rate / latency breach
03

Supply-chain attestation

SLSA L3

Every artifact has a provenance attestation pointing back to the commit, the runner, and the build environment. Admission verifies — if the chain breaks, the deploy doesn't happen.

  • Cosign keyless via Sigstore Fulcio
  • Build provenance per SLSA L3 spec
  • SBOMs in CycloneDX + SPDX · attached as attestations
  • Kyverno / Connaisseur reject anything unverified
04

Air-gapped CI

DiODE

Signed bundle is the unit of transfer. High-side ingest verifies sig, runs vuln + policy gates, then ArgoCD applies. No inbound from cleared side. Feedback comes back through its own diode.

  • oras-bundled artifacts · sig + SBOM + attestations
  • Manifest sync via signed gitea / GitLab mirror on the high side
  • Mirror registry (Harbor) for kept-warm base images
  • Renovate runs low-side · proposes bumps · MR review enforced
05

Observability

OTel

One OpenTelemetry collector pipeline. Metrics to Prometheus, logs to Loki, traces to Tempo. eBPF (Pixie / Hubble) for what apps don't emit.

  • OTel collector with org-wide processor pipeline
  • Loki + Prometheus + Tempo + Grafana stack
  • Pixie for zero-instrumentation deep dives
  • SLO library shared across services
≤ 30 slog-to-alert
3 sigmetrics · logs · traces
eBPFzero-instrumentation
06

Embedded & firmware

Yocto

Same pipeline pattern for embedded — Yocto images get the SAST + SBOM + signing treatment. OTA updates verified on-device before swap.

  • Yocto / OpenEmbedded build with reproducible recipes
  • SWUpdate or RAUC for A/B partitioned OTA
  • Image SBOM via create-spdx bbclass
  • Secure boot chain validated on every image

$ cat stack.json

The stack we operate.

// commit to prod
most popular · industry standard available · production-ready coming · trial / assess
SCM & CI5
GitLab (self-hosted) GitHub Actions Gitea Tekton Konflux
CD & rollout5 · GitOps
ArgoCD Helm Argo Rollouts Flagger Kustomize
Build & package5 · hermetic-first
BuildKit Packer Bazel Nix Yocto / OpenEmbedded
Config mgmt4
Ansible Terraform Semaphore Salt
Sign & verify5 · SLSA L3
Cosign Sigstore (Fulcio / Rekor) in-toto SLSA L3 Kyverno
Secrets4
HashiCorp Vault AWS Secrets Manager External Secrets Operator SOPS
Observability5 · 3 signals
Prometheus Grafana OpenTelemetry Loki · Tempo Pixie · Hubble
Mesh / runtime5
Istio Ambient Cilium Falco Tetragon WASM filters (Proxy-Wasm)

$ radar --quarter Q2

What's on the tech radar.

// where pipelines are going

Adopt

in production
  • ArgoCD app-of-appsSingle reconcile loop, scales to N envs
  • Renovate auto-bumpCVE patches merged automatically
  • OpenTelemetry collectorOne pipeline · three signals
  • oras bundle transferAir-gap shipping primitive

Trial

piloting
  • Istio Ambient meshztunnel mTLS · no sidecar tax
  • Pixie eBPF profilingZero-instrumentation deep dives
  • Argo Rollouts canaryMetric-analysis driven promotion
  • Konflux / Pipelines as CodeTekton-native build platforms

Assess

watching
  • WASM proxy filtersEnvoy + Proxy-Wasm for custom L7
  • Buildless / Nix flakesTrue hermetic build graphs
  • Microvm sandboxingFirecracker / Kata containers
  • Backstage IDPOne developer portal across portfolios

$ stagg --scope devsecops

Pipelines that hold up.

Free consultation. Show us your current pipeline. We'll point out where the signing chain breaks, the air-gap leaks, or the manual gates that should be code.

$ get_quote ← All practice areas

// direct comms

email[email protected]
phone(801) 917-4617
responsewithin 24 hours
formatfree consultation