Secure CI/CD for Federal Workloads
Built and hardened CI/CD pipelines for multiple federal agencies, folding automated code analysis and vulnerability scanning into the path to production while holding the line on NIST and FedRAMP controls.
- Role
- Cloud Engineer
- Org
- Procentrix
- Period
- 2022–Present
Context
Federal software delivery has to be fast and auditable. Each release needs a defensible trail showing that code was scanned, dependencies were checked, and compliance controls held — without turning the pipeline into a bottleneck that teams route around.
Approach
Pipelines were designed as the enforcement point, following the DoD Enterprise DevSecOps reference patterns and OWASP guidance.
- Static analysis and dependency scanning in-line — SonarQube and GitHub Advanced Security run on every change, so quality and vulnerability gates are part of merging, not a separate audit later.
- Container security across Docker/Kubernetes workloads, with image and configuration checks shifted left into the build.
- Infrastructure as Code (Terraform, ARM, Bicep) plus PowerShell/Bash automation, so environments are reproducible and reviewable rather than hand-built.
- Compliance controls wired in — Microsoft Purview and Microsoft Sentinel configured to align delivery with NIST, FedRAMP, and data-handling requirements (GDPR/HIPAA where applicable).
Outcome
Secure-by-default delivery: every artifact reaching production carried an automated record of the scans and gates it passed, giving agency stakeholders the audit trail they need while keeping engineers shipping.
Add the metrics you own here — reduction in escaped vulnerabilities, pipeline lead time, audit findings closed, etc.