_private/qwestly-docs/CI-CD/index.md

Table of Contents

Continuous Integration / Continuous Deployment Implementation Plan

Our current setup uses separate Next.js applications deployed via Vercel with native GitHub integration. For SOC2 compliance, we have implemented a robust CI/CD pipeline with proper security and compliance controls.

Current Repository Structure

Qwestly operates separate repositories (not a monorepo):

  • qwestly-app - Main application portal
  • candidate - Candidate-facing portal
  • public-site - Public marketing website
  • api-python - Python backend services

Each repository has its own tailored CI/CD pipeline deployed to Vercel.

Implementation Status ✅

Phase 1: Core Pipeline (COMPLETED)

✅ GitHub Actions Workflows Created

  • qwestly-app: Full pipeline with lint-and-test, security scanning, compliance checks
  • candidate: Security scanning and compliance checks (lint-and-test commented out temporarily)
  • public-site: Template ready for deployment
  • api-python: Python-specific pipeline template ready

✅ GitHub Secrets Configured

All repositories configured with necessary secrets:

  • VERCEL_TOKEN - For Vercel API access (if needed)
  • VERCEL_ORG_ID - Organization identifier
  • VERCEL_PROJECT_ID_* - Project-specific identifiers
  • QWESTLY_REGISTRY_GH_TOKEN - For GitHub Packages (candidate app only)

✅ Branch Protection Rules

  • Pull request reviews required (minimum 1 approver)
  • Status checks must pass before merging
  • Administrators included in restrictions
  • Direct commits to main branch blocked

Phase 2: Security Integration (COMPLETED)

✅ Security Tools Active

  • Trivy vulnerability scanning - Detects security vulnerabilities in dependencies
  • TruffleHog secret scanning - Prevents credential leaks
  • GitHub Advanced Security integration - SARIF upload with fallback to artifacts
  • Proper permissions configured - security-events: write for all workflows

✅ Code Quality Pipeline

  • ESLint + Prettier - Code formatting and style consistency
  • TypeScript compilation - Type safety validation
  • npm integration - Proper package manager setup with frozen lockfiles
  • Playwright E2E testing - End-to-end test automation

Phase 3: Deployment Strategy (HYBRID APPROACH)

✅ Vercel Native Integration

Primary deployment method - Leverages Vercel's GitHub integration:

  • Automatic preview deployments on pull requests
  • Production deployments on main branch merges
  • Environment variable management via Vercel dashboard
  • Build optimization handled by Vercel infrastructure
  • Rollback capabilities via Vercel dashboard
  • Optional: skip a deploy for one commit via Ignored Build Step + commit message tag

✅ GitHub Actions Focus

Validation and compliance - CI pipeline focuses on:

  • Security scanning (Trivy vulnerability detection)
  • Compliance validation (TruffleHog secret scanning)
  • Code quality (linting, type checking, testing)
  • Audit trail generation (complete logs for SOC2)

Phase 4: SOC2 Compliance (COMPLETED)

✅ Evidence Collection

  • Workflow permissions - Proper GitHub Actions permissions configured
  • Security scan artifacts - Vulnerability reports stored as artifacts
  • Branch protection exports - GitHub settings documented
  • Access control matrix - Team permissions defined
  • Audit trails - Complete logging for compliance review

Current Pipeline Architecture

Production Workflow

Pull Request → Security Scan + Compliance Checks → Code Quality (main app) → Vercel Preview Deploy
      ↓
   Peer Review + Approval
      ↓  
Merge to Main → Security Scan + Compliance Checks → Vercel Production Deploy

Security & Compliance Layer

Every Commit:
├── Trivy Vulnerability Scan
├── TruffleHog Secret Detection  
├── Code Quality Validation (where enabled)
└── SARIF Upload to GitHub Security Tab

SOC2 Compliance Status

✅ Controls Implemented

Control Implementation Status
CC6.1 - Logical Access GitHub 2FA + RBAC ✅ Active
CC6.2 - Access Authorization Branch protection rules ✅ Active
CC8.1 - Change Management PR approval process ✅ Active
CC6.7 - Data Security Secret scanning + encrypted communication ✅ Active
CC7.1 - System Monitoring Security scanning + audit logs ✅ Active

✅ Evidence Available

  • GitHub repository configuration exports
  • CI/CD workflow definitions
  • Security scan reports and artifacts
  • Deployment audit trails via Vercel
  • Access control documentation

Maintenance and Monitoring

Ongoing Tasks

  • Quarterly access reviews - Review team permissions and repository access
  • Security scan monitoring - Monitor and remediate vulnerability findings
  • Pipeline optimization - Improve performance and reliability
  • Documentation updates - Keep compliance documentation current

Key Metrics Tracked

  • Security scan coverage - 100% of commits scanned
  • PR approval rate - 100% compliance with review requirements
  • Deployment success rate - Tracked via Vercel dashboards
  • Mean time to remediation - For security vulnerabilities

Next Steps

Short Term (Optional Improvements)

  • Uncomment lint-and-test in candidate repository once GitHub Packages token is configured
  • Add FOSSA license scanning for comprehensive license compliance
  • Enable CodeQL for additional static application security testing

Long Term (Enhancements)

  • Add performance testing to pipeline for regression detection
  • Implement automated dependency updates with security focus
  • Enhanced monitoring with custom dashboards and alerting

Team Training Completed

  • GitHub Actions workflow understanding for all developers
  • Branch protection rules and PR process
  • Security scanning interpretation and remediation
  • SOC2 compliance requirements and evidence collection

Last Updated: July 1, 2025
Next Review: October 1, 2025
Document Owner: Dominick Pham, CTO