_private/qwestly-private-docs/SOC2/evidence/ci-cd/ci-cd-system-in-use.md

CI/CD System in Use - SOC2 Evidence

Date: June 2026

Executive Summary

Qwestly runs a hybrid CI/CD pipeline: GitHub Actions handles security validation, secret detection, and automated code review on every pull request and merge to main, while Vercel handles building, preview/production deployment, and instant rollback. All code reaches production through reviewed pull requests with required passing status checks, producing a complete, attributable audit trail.

SOC2 Trust Services Criteria Addressed

Criteria Control Objective How CI/CD Satisfies It Status
CC6.1 Logical access controls GitHub MFA + RBAC; deployments gated behind branch protection and Vercel access ✅ Implemented
CC6.6 Data processing integrity Vercel build gate ensures only valid, compiling code is deployed; pre-commit hooks catch failures locally before code reaches the remote ✅ Implemented
CC6.7 Data transmission / secrets security Secrets stored in GitHub Secrets / Vercel env; TruffleHog blocks committed credentials; all traffic over HTTPS/TLS ✅ Implemented
CC7.1 System monitoring Trivy vulnerability scan runs on every push/PR; results sent to GitHub Security tab ✅ Implemented
CC8.1 Change management Mandatory PRs, peer + automated review, required status checks before merge, full Git/Actions audit trail ✅ Implemented

Pipeline Architecture

[Local git hooks] → runs unit tests before every commit; blocks on failure

Pull Request / Push to main
        │
        ├─► GitHub Actions (validation layer)
        │     ├─ Security Scanning      → Trivy (filesystem vuln scan) → GitHub Security tab + artifact
        │     ├─ Compliance Checks      → TruffleHog (secret detection on the PR diff)
        │     └─ Claude Code Review     → automated AI review, posts findings as PR comments
        │
        └─► Vercel (deployment layer)
              ├─ Build gate             → `NODE_ENV=production next build` must succeed; refuses deploy on failure
              ├─ PR opened              → automatic preview deployment
              ├─ Merge main             → production deployment
              └─ Rollback               → one-click revert via deployment history

Pre-commit (local hooks): unit tests run before every commit; blocks on failure — catches issues before they leave the developer machine. Validation layer (GitHub Actions): security, compliance, and code-review gates on every PR/push. Deployment layer (Vercel): build gate, hosting, environment separation, rollback.

GitHub Actions Workflows (Verified)

The workflows below are taken directly from the live candidate repository (.github/workflows/). The same pattern is applied across Qwestly's application repositories per the canonical CI/CD System Documentation.

1. Security & Compliance Pipeline — ci-cd.yml

Triggers: push to main, pull_request to main Permissions (least privilege): contents: read, security-events: write, actions: read

Job Tool Purpose Output
security-scan Trivy (aquasecurity/trivy-action) Filesystem vulnerability + dependency scan SARIF uploaded to GitHub Security tab; results also retained as a build artifact (30-day retention)
compliance-checks TruffleHog (trufflesecurity/trufflehog) Detect secrets/credentials introduced in the PR diff Fails the check if a verified secret is found

Key control points:

  • Trivy results upload to the GitHub Security tab (github/codeql-action/upload-sarif), with an artifact fallback so scan evidence is always retained.
  • TruffleHog scans the diff between the PR base and head, so newly introduced secrets are caught before merge.

2. Automated Code Review — claude-code-review.yml

Triggers: pull_request (opened, synchronize) and PR comments containing codebot (manual re-run). Permissions: contents: read, pull-requests: write, issues: read, id-token: write

  • Every PR receives an automated review (anthropics/claude-code-action) that reads the diff, compares against previously flagged issues, and posts a summary comment (optionally inline comments when the INLINE_COMMENTS repo variable is set to true).
  • Reviewers can re-trigger the review by commenting codebot after pushing more commits.
  • Runtime is capped (timeout-minutes: 15) and bot authors are allow-listed (qwestly, dependabot).

This provides a consistent automated reviewer on top of human peer review for every change.

Repositories In Scope

Repository Purpose CI/CD Coverage
candidate Candidate-facing portal Trivy + TruffleHog + Claude Code Review (verified in this doc); Vercel deploy
public-site Marketing website Per canonical CI/CD doc; Vercel deploy
api-python Python backend services Per canonical CI/CD doc (security scan, Python quality, compliance)

Pre-commit hooks (hooks/): Installed via npm run install-hooks (cp hooks/* .git/hooks/). On every commit, unit tests (vitest) run automatically. If any test fails, the commit is blocked — issues are caught at the developer's machine before code reaches GitHub. The candidate CI workflow currently focuses on security and secret scanning; full lint/test enforcement in CI is tracked as a continuous-improvement item.

Change Management Controls (CC8.1)

  • Mandatory pull requests — no direct commits to main; all changes flow through PRs.
  • Required status checks — Security Scanning, Compliance Checks, and Claude Code Review run on every PR; a PR cannot merge until required checks pass (enforced via GitHub branch protection).
  • Peer review — at least one human approval required in addition to the automated review.
  • Audit trail — Git commit history (author + timestamp), GitHub Actions run logs, and Vercel deployment history give end-to-end, attributable traceability from commit to production.
  • Rollback — production can be reverted instantly from the Vercel deployment history.

Deployment Layer (Vercel)

  • Build gate: Vercel runs NODE_ENV=production next build before every deployment. If the build fails (TypeScript errors, compilation failure, etc.), the deployment is refused — no broken code reaches staging or production.
  • Preview deployments are created automatically for every PR, giving a tested environment before merge.
  • Production deployments are triggered only by merges to main.
  • Environment variables / secrets are managed in the Vercel dashboard (not committed to source).
  • Rollback is one click via deployment history.

Testing & Validation

What When Result
Confirmed ci-cd.yml runs Trivy + TruffleHog on PR/push to main June 2026 ✅ Verified from live workflow file
Confirmed claude-code-review.yml runs automated review on every PR June 2026 ✅ Verified from live workflow file
Confirmed least-privilege workflow permissions June 2026 contents: read default; elevated scopes granted per job only
Branch protection / required checks June 2026 ✅ Settings screenshot captured (evidence item 2)

Continuous Improvement

  • Review cadence: Annual (per audit window) plus on any material pipeline change.
  • Change control for the pipeline: workflow edits go through the same PR + review process as application code.
  • Tracked improvement: enable full lint/unit/E2E enforcement in the candidate CI workflow (currently enforced locally via pre-commit hooks; adding to CI would provide a cloud-based fail-stop at the PR level).
  • Next review: June 2027 (or at next significant CI/CD change).