_private/qwestly-private-docs/SOC2/evidence/ci-cd/README.md
CI/CD Evidence
Evidence supporting the CI/CD system in use Vanta control. See the narrative doc: ../../ci-cd-system-in-use.md.
| File | What it shows | Status |
|---|---|---|
GitHub PR Actions Check, 26-6-29.png |
PR showing the automated Claude Code Review comment (auto code review posts review feedback on every PR) | ✅ Present |
GitHub Branch Protection, 26-6-29.png |
main branch protection: require PR, require status checks, require review |
✅ Present |
GitHub Security Tab Trivy, 26-6-29.png |
GitHub Security tab showing Trivy SARIF results | ✅ Present |
GitHub Dependabot PR, 26-6-29.png |
Dependabot security update merged via PR (vulnerable dependency fixed through reviewed-PR flow) | ✅ Present |
GitHub Actions Run, 26-6-29.png |
A completed Actions run log (security-scan + compliance-checks) | ✅ Present |
Vercel deployment overview, 26-6-29.png |
Vercel deployment dashboard showing production deployment history, release versions, and states | ✅ Present |
Naming: use a YY-M-D date suffix (e.g. 26-6-29), matching the convention used elsewhere in evidence/.