SFC - DevOps & Infrastructure
Revision 1.1 · Updated 2026-04-17 · Changelog
The SEAL Framework Checklist (SFC) for DevOps & Infrastructure provides guidelines for securing development environments, source code management, CI/CD pipelines, and cloud infrastructure. It covers governance, supply chain security, deployment controls, and infrastructure access.
For more details on certifications or self-assessments, refer to the Certification Guidelines.
Section 1: Governance & Development Environment
0/4
di-1.1.1 · DevOps Security Owner
Is there a clearly designated person or team accountable for development and infrastructure security?
Baseline Requirements
- Accountability scope covers policy maintenance, security reviews, access control oversight, pipeline governance, and incident escalation
di-1.1.2 · DevOps Security Policy
Do you maintain documented security policies governing development and infrastructure operations?
Baseline Requirements
- Policy covers environment standards, access controls, deployment procedures, and code management
- Accessible to all developers and infrastructure operators
- Reviewed at least annually and after significant changes (security incidents, technology shifts, organizational restructuring)
di-1.1.3 · Development Environment Isolation
Do you isolate development environments from production systems?
Baseline Requirements
- Development activities performed in containerized or virtualized environments
- Each code repository has its own isolated environment to prevent cross-contamination
- Production credentials not accessible from development environments
- Separate accounts or profiles for development vs. privileged operations (e.g., wallet signing, cloud admin)
- Code execution sandboxed to prevent host system compromise
di-1.1.4 · Development Tools Approval and Approved List
Do you evaluate and approve development tools before organizational use, and maintain an approved tools list?
Baseline Requirements
- Evaluation criteria cover IDEs, extensions, plugins, AI-powered tools, and third-party services
- Extensions and plugins obtained only from official repositories
- AI tools assessed for data privacy risks (does the tool send code to third parties for training or analytics?)
- Approved tool list maintained; unapproved tools restricted
- List reviewed at least annually, including checks for unused or unrecognized installed tools
Section 2: Source Code & Supply Chain Security
0/4
di-2.1.1 · Repository Security
Do you enforce security controls on your source code repositories?
Baseline Requirements
- Role-based access control with least-privilege permissions
- Branch protection rules enforced on main/production branches
- Signed commits required for all code changes
- Multi-party code review required for merges to protected branches
- Account controls (phishing-resistant MFA, credential management, access reviews, lifecycle) follow [SFC - Identity & Accounts](/certs/sfc-identity-accounts)
di-2.1.2 · Secret Scanning
Do you scan source code for accidentally committed secrets?
Baseline Requirements
- Automated scanning for committed secrets (API keys, private keys, credentials) in all repositories
- Pre-commit hooks deployed to prevent secrets from being committed in the first place
- Remediation procedures for discovered secrets (immediate rotation, revocation)
- Scanning integrated into CI/CD pipeline
di-2.1.3 · External Contributor Review
Do you apply enhanced review for code contributions from external collaborators?
Baseline Requirements
- Additional approvers required for all external code contributions
- Code contributions tracked; unexpected changes flagged (e.g., commit rewrites, unprompted edits)
- External collaborators restricted to minimum necessary repository permissions
- CI/CD pipelines do not automatically execute for external contributor PRs without approval
di-2.1.4 · Dependency and Supply Chain Security
Do you verify and manage dependencies to prevent supply chain attacks?
Baseline Requirements
- Packages sourced from official repositories, verified against typosquatting patterns, and pinned to prevent silent updates
- Dependencies scanned for known vulnerabilities before deployment; regular audits for outdated or vulnerable components
- Changelogs reviewed for dependency updates to verify expected functionality
Section 3: CI/CD Pipeline Security
0/3
di-3.1.1 · Pipeline Security Controls
Do you control who can modify and execute your deployment pipelines?
Baseline Requirements
- Pipeline configuration changes require multi-party approval
- Deployments automated through controlled pipelines using separate service accounts with minimal permissions; manual human deployment restricted
- Pipeline and build configurations version-controlled and reviewed
- Builds are deterministic with strict dependency sets
- Pipeline runners use pinned, versioned images with minimal scope (ephemeral where feasible, limited network egress for build steps)
di-3.1.2 · Secrets Management
Do you securely manage secrets used in pipelines and applications?
Baseline Requirements
- Dedicated secrets management system used (not environment variables in plain text)
- Secrets never stored in source code or unencrypted configuration files
- Production secrets not directly accessible by humans
- Pipeline secrets accessible only by service accounts
- Secret rotation schedule defined; rotation triggered immediately after suspected compromise
di-3.1.3 · Security Testing Integration
Do you integrate security testing into your development and deployment pipelines?
Baseline Requirements
- Static analysis (SAST) tools integrated into CI/CD pipeline
- Dependency vulnerability scanning automated in CI/CD
- Security scan results reviewed before deployment approval
- Testing and validation performed in staging environments before production deployment
Section 4: Infrastructure & Cloud Security
0/4
di-4.1.1 · Infrastructure as Code
Do you manage infrastructure through code with version control and review?
Baseline Requirements
- All infrastructure defined and managed through code (e.g., Terraform, CloudFormation)
- Infrastructure changes deployed through automated pipelines, no manual steps required
- Infrastructure changes require multi-party approval
- IaC security scanning performed before deployment
- Network architecture defined in code: segmentation (VPCs/subnets), minimal public exposure, firewall/security group rules
di-4.1.2 · Infrastructure Access Controls
Do you enforce least-privilege access controls for infrastructure?
Baseline Requirements
- Account controls (individual accounts with phishing-resistant MFA, no shared logins, credential management, access lifecycle) follow [SFC - Identity & Accounts](/certs/sfc-identity-accounts)
- Privileged access is time-limited and requires multi-party approval (JIT access)
- Day-to-day operations use minimum necessary permissions (read-only where possible)
- Break-glass accounts established for emergency access with individual accountability; usage triggers immediate alerts and post-incident review
- All access activities logged and monitored
di-4.1.3 · Backup and Disaster Recovery
Do you maintain backup and disaster recovery procedures with periodic testing?
Baseline Requirements
- Critical systems have automated backup procedures
- Disaster recovery plan documented with recovery time and recovery point objectives defined
- Backup and recovery procedures tested regularly
- Backups stored independently of primary infrastructure
di-4.1.4 · Cloud Security Monitoring
Do you monitor cloud security configurations and respond to provider security notifications?
Baseline Requirements
- Cloud security configurations continuously monitored for drift and unauthorized changes
- Administrative actions trigger alerts
- Cloud provider security notifications subscribed to and promptly reviewed
- Comprehensive logging enabled (e.g., CloudTrail, Azure Monitor, Google Cloud Logging)
- Multi-cloud strategies considered to reduce single-provider dependency