We Moved SOC 2 Controls into Our CI/CD Pipeline - Here's What Actually Happened

General
1

Six months ago, our security team announced we were implementing “compliance as code.” As a senior engineer who’s seen plenty of security theater, I was skeptical. But I have to admit: this actually worked, though not quite how we expected.

Why We Did This

Context matters. Our startup needed SOC 2 Type 2 certification to close enterprise deals. Traditional approach would’ve been spreadsheets, quarterly reviews, scrambling before audits. Instead, our CISO pitched: “What if we treat compliance controls like any other code requirement?”

What We Actually Built

Here’s our implementation:

Policy-as-Code with Open Policy Agent (OPA): We wrote compliance policies as code that run in our CI/CD pipeline. Examples:

  • No hardcoded secrets in code (detects API keys, passwords)
  • All production deployments require code review approval
  • Container images must come from approved registries
  • Database access requires encrypted connections
  • Audit logs can’t be disabled

Automated Evidence Collection: Instead of manually gathering screenshots and logs for auditors, we built automation:

  • Git commit history for code review evidence
  • CI/CD logs showing automated security scans
  • Infrastructure-as-code diffs showing change management
  • Automated daily snapshots of security configurations

Continuous Control Monitoring: Rather than quarterly compliance checks, our controls are validated on every deploy. Our dashboard shows compliance posture in real-time.

The Wins

After six months, here’s what actually improved:

40% Faster Audit Prep: Last quarter’s audit prep took 2 weeks instead of 5. Evidence was already collected and organized.

Controls Checked Every Deploy: We catch compliance violations before they reach production. No more “oops, someone disabled logging in production.”

Fewer Surprises: Quarterly compliance reviews used to surface issues that had been accumulating for months. Now we know our posture continuously.

Security and Dev Alignment: Compliance requirements are visible to everyone, not buried in wiki pages no one reads.

The Pain Points (Let’s Be Honest)

It wasn’t all smooth:

Learning Curve: Writing policies in Rego (OPA’s language) was foreign to most developers. Took a few weeks of ramp-up.

False Positives: Early on, our policies were too strict. We’d block legitimate deploys because of overzealous rules. Tuning policies is an ongoing process.

Maintaining Policies Alongside Code: Policies need updates when our architecture changes. This is extra maintenance burden, even if it’s worth it.

Not Everything Fits: Some SOC 2 controls (like background checks, physical security) can’t be automated. We still have manual processes for those.

Is This Actually Worth It?

Here’s my honest take: Yes, but with caveats.

Compliance-as-code is a game-changer for technical controls. It shifts security left (catching issues early) and makes compliance visible to engineering. The time savings during audits alone justify the investment.

But it’s not a silver bullet. You still need people who understand both compliance requirements and your technical architecture. The tools enable the process; they don’t replace thinking.

Also, your organization needs to be ready for this. If your development team sees compliance as “someone else’s problem,” automation won’t magically fix that culture gap.

Questions for the Community

I’m curious about others’ experiences:

  • Who else has embedded compliance checks in their CI/CD pipelines? What tools are you using?
  • How do you handle false positives without developers just ignoring policy failures?
  • Any advice on maintaining policies as your architecture evolves?
  • Have you found ways to automate the non-technical SOC 2 controls, or is that just manual forever?

With Gartner predicting that 70% of enterprises will integrate compliance-as-code by 2026, I figure we’re early but not alone in this journey. What’s working (or not working) for your teams?

2

Alex, this is exactly the journey my EdTech company just started, and your honesty about the pain points is refreshing. The technical implementation is genuinely the easier part - the cultural shift is what’s challenging.

The Culture Problem

When we first announced compliance-as-code, the reaction from our engineering team was… mixed. Some developers saw it as “compliance slowing us down” and “more process.” They’d built a culture around moving fast, and any new checks felt like friction.

Here’s what I learned: positioning matters enormously.

We initially framed it as “security requirements you must follow.” That created an adversarial dynamic - security as the gatekeeper saying “no.”

We reframed it as “automated safety checks that catch issues before customers do.” That shifted the narrative from compliance burden to engineering quality.

Making Compliance Teams Embedded Partners

The breakthrough came when we changed how our compliance and security teams worked with product engineering:

Before: Compliance team did quarterly audits, found violations, filed tickets. Reactive and adversarial.

After: Compliance engineers embedded with product squads from sprint planning onward. They helped developers understand requirements and design compliant features from day one. Proactive and collaborative.

This meant hiring differently - we needed compliance people who could pair program and review pull requests, not just write audit reports.

The Paradox: Moving Faster by Caring About Compliance

Here’s the counterintuitive result: our feature velocity actually increased after implementing compliance-as-code.

Why? Because we stopped having security fires post-launch that required emergency fixes and rollbacks. We stopped having surprise audit findings that forced engineering scrambles.

Catching issues in CI/CD is orders of magnitude faster than catching them in production.

Last quarter, we shipped 23 major features to production with zero post-launch security incidents. Previously we averaged 3-4 security issues per quarter that required hot fixes.

Questions for You, Alex

How did you handle developer pushback? Did you have engineers who just… ignored policy failures or tried to work around them?

We had one team that kept requesting “exceptions” for their service. Turned out their architecture genuinely needed different policies, not that they were trying to bypass controls. But it took a while to figure that out.

Also curious: do you have different policy strictness for different environments? We’re more lenient in dev/staging and strict in production, but I worry that creates a gap where issues only surface late.

3

I never thought about “compliance UX” before reading this thread, but Alex, your false positives problem is exactly a UX issue.

When developer experience is bad, people work around the system. I’ve seen this in design systems - if the components are hard to use, developers build custom ones and bypass the system entirely.

The Developer Experience of Compliance

Think about what you’re asking developers to do:

  1. Understand compliance requirements (often written in legal language)
  2. Write code that satisfies those requirements
  3. Debug policy failures (in a language - Rego - they don’t know)
  4. Context-switch between feature work and compliance fixes

If any of those steps is painful, compliance-as-code becomes compliance theater. Developers will find workarounds.

What Good Compliance DX Looks Like

I’m working on a design system that bakes accessibility compliance in by default. Here’s what we learned:

Clear Error Messages: Instead of “Policy violation: WCAG-1.4.3”, we show “Color contrast too low: #777 on #fff (3.2:1). Need 4.5:1 for normal text. Try #595959 instead.”

Compliance tools should do the same. Not just “secret detected” but “Possible API key on line 47. If this is a test fixture, move it to /tests/fixtures. If it’s real, use environment variables.”

Actionable Fixes: Even better, suggest the fix. “Run git-secrets --scan to remove this” or “Use GitHub Secrets instead: docs link.”

Visual Integration: In design tools, we show compliance status right in the UI. Compliance checks in CI/CD should be equally visible - dashboard that’s actually useful, not buried in Jenkins logs.

The Cultural Point

Keisha’s point about positioning resonates. As a designer, I know that how you present something changes how people receive it.

“Your code failed compliance” feels like criticism.
“This check caught a potential security issue before production” feels like value.

Same information, completely different emotional response.

Question for Alex: Did you involve developers in designing the compliance checks? Or was it handed down from security? I’m betting the teams that helped write the policies understand them better.

4

Alex, this is absolutely the future. What you’re describing is the logical evolution of “shift left” for security - we’re now doing the same thing for compliance.

Policy Engines Need Governance Too

One critical addition to your setup that I’d recommend: immutable audit trails for all policy decisions.

It’s not enough to enforce policies. You need to prove:

  • Which policy version was active when this deploy happened
  • Who approved the policy (policies themselves need code review)
  • Why this specific control exists (link to SOC 2 requirement)
  • When violations occurred and how they were remediated

This is where Keisha’s point about embedded compliance engineers matters. Someone needs to own the governance of the governance.

The SLSA Framework Alignment

For teams serious about this, I recommend aligning with SLSA (Supply-chain Levels for Software Artifacts). SLSA provides a framework for:

  • Build provenance (who built what, when, from what source)
  • Hermetic builds (reproducible, no external dependencies during build)
  • Two-person review for changes
  • Signed attestations

This maps beautifully to SOC 2 requirements around change management and access controls. You’re already doing some of this with your code review requirements.

Real-World Results Match Gartner’s Prediction

You mentioned Gartner predicting 70% of enterprises will adopt compliance-as-code by 2026. I’m seeing this with my fintech clients - the ones who implemented this early are seeing 15-20% improvements in lead time, exactly as predicted.

The key difference between successful and struggling implementations: treating compliance infrastructure with the same rigor as production infrastructure.

Failed implementations:

  • Policies in a separate repo that’s rarely updated
  • Manual policy deployment (ironic, right?)
  • No testing for policies before they go live
  • Policy failures get ignored because they’re too noisy

Successful implementations:

  • Policies versioned alongside application code
  • CI/CD for the policies themselves
  • Test suites for policies (“this code should fail the secret detection”)
  • Gradual rollout with monitoring

SBOM Generation in the Pipeline

One more thing: your automated evidence collection should include SBOM (Software Bill of Materials) generation. With the rise of supply chain attacks, knowing exactly what dependencies are in your builds is increasingly critical for both security and compliance.

We’re seeing SOC 2 auditors specifically ask about dependency tracking now. EU AI Act will require this for AI systems. Better to build it into your pipeline from the start.

Question for you: How are you handling policy changes that would break existing code? Do you have a deprecation process?

5

This is fascinating from a data perspective. Alex, I’m curious: how are you measuring the effectiveness of your compliance-as-code implementation?

The Measurement Challenge

You mentioned 40% faster audit prep, which is great. But that’s a lagging indicator - you only know if it worked after the audit.

What I’m wondering: what are your leading indicators? How do you know your compliance posture is actually improving day-to-day, not just that you’re better at generating evidence?

Metrics I’d Want to Track

If I were designing the measurement framework for this:

Leading Indicators:

  • Policy violations caught per week (higher might be good - you’re catching more)
  • Time to remediation (from policy failure to fix merged)
  • False positive rate (tracking if this improves over time)
  • Policy coverage (% of SOC 2 controls that are automated)

Adoption Indicators:

  • % of deploys that pass all policies first try
  • Number of policy exception requests (should decrease over time)
  • Developer surveys on perceived friction

Business Indicators:

  • Time from “compliance requirement identified” to “control implemented”
  • Audit findings (should approach zero over time)
  • Security incidents related to compliance gaps

The Problem: You Can’t A/B Test Compliance

Unlike product features where you can A/B test changes, compliance is binary - you’re either compliant or you’re not. So how do you iterate and improve?

My suggestion: treat policies like experiments.

When you add a new policy:

  1. Start in “monitor only” mode - track violations but don’t block
  2. Measure: How many violations? Are they real issues or false positives?
  3. Tune the policy based on data
  4. Graduate to “blocking” mode
  5. Track: Did violation rate drop? Did time-to-fix improve?

This is essentially feature flagging for compliance policies.

Questions for Alex

  • What metrics are you actually tracking beyond “passed audit”?
  • How do you know if a policy is too strict vs too lenient?
  • Are you measuring developer productivity impact? (Story cycle time, deploy frequency, etc.)
  • Do you have dashboards that show compliance posture to engineering teams?

I ask because in ML, we learned the hard way that “it feels like it’s working” is not the same as “data shows it’s working.” Curious if compliance-as-code has the same challenge.