Skip to content

SFC - DevOps & Infrastructure

The SEAL Framework Checklist (SFC) for DevOps & Infrastructure provides guidelines for securing development environments, source code management, CI/CD pipelines, and cloud infrastructure. It covers governance, supply chain security, deployment controls, and smart contract operations.

For more details on certifications or self-assessments, refer to the Certification Guidelines.

Section 1: Governance & Development Environment

0/4
Documented DevOps Security Policies
Do you maintain documented security policies governing development and infrastructure operations (environment standards, access controls, deployment procedures)?
Accountability for DevOps Security
Is there a clearly designated person or team accountable for development and infrastructure security (policy maintenance, security reviews)?
Development Environment Isolation
Do you maintain requirements for development environment isolation and separation from production systems?
Development Tools Approval
Do you maintain criteria for evaluating and approving development tools before use (IDEs, extensions, AI usage)?

Section 2: Source Code Management

0/4
Repository Access Control
Do you maintain access control procedures for source code repositories with role-based permissions?
Repository Security Controls
Do you enforce repository security controls for protected branches (branch protection, commit signing, multi-party review)?
Secret Scanning
Do you maintain procedures for scanning source code for accidentally committed secrets?
External Contributor Review
Do you have procedures for enhanced review of code contributions from external collaborators?

Section 3: Dependency & Supply Chain Security

0/2
Package Verification
Do you maintain procedures for verifying package authenticity and preventing supply chain attacks (trusted sources, typosquatting detection)?
Dependency Vulnerability Management
Do you maintain procedures for dependency vulnerability management (scanning, version control, periodic audits)?

Section 4: CI/CD Pipeline Security

0/3
Pipeline Change Controls
Do you require approval controls for modifications to deployment pipelines and build configurations?
Secrets Management
Do you maintain procedures for secure management of pipeline and application secrets?
Pipeline Access Controls
Do you enforce access controls for pipeline execution (service account separation, restricted manual deployment)?

Section 5: Infrastructure Security

0/3
Infrastructure as Code
Do you maintain requirements for managing infrastructure through code with version control and security review?
Infrastructure Access Controls
Do you maintain procedures for infrastructure access controls (individual accounts, time-limited privileges, break-glass procedures)?
Backup and Disaster Recovery
Do you maintain procedures for backup and disaster recovery with periodic testing?

Section 6: Cloud & Vendor Security

0/2
Cloud Security Monitoring
Do you maintain procedures for monitoring cloud security configurations and administrative activity?
Cloud Provider Notifications
Do you have procedures for receiving and responding to cloud service provider security notifications?