_private/qwestly-private-docs/SOC2/evidence/ci-cd/ci-cd-system-in-use.md
Table of Contents
CI/CD System in Use - SOC2 Evidence
Date: June 2026
Executive Summary
Qwestly runs a hybrid CI/CD pipeline: GitHub Actions handles security validation, secret detection, and automated code review on every pull request and merge to main, while Vercel handles building, preview/production deployment, and instant rollback. All code reaches production through reviewed pull requests with required passing status checks, producing a complete, attributable audit trail.
SOC2 Trust Services Criteria Addressed
| Criteria | Control Objective | How CI/CD Satisfies It | Status |
|---|---|---|---|
| CC6.1 | Logical access controls | GitHub MFA + RBAC; deployments gated behind branch protection and Vercel access | ✅ Implemented |
| CC6.6 | Data processing integrity | Vercel build gate ensures only valid, compiling code is deployed; pre-commit hooks catch failures locally before code reaches the remote | ✅ Implemented |
| CC6.7 | Data transmission / secrets security | Secrets stored in GitHub Secrets / Vercel env; TruffleHog blocks committed credentials; all traffic over HTTPS/TLS | ✅ Implemented |
| CC7.1 | System monitoring | Trivy vulnerability scan runs on every push/PR; results sent to GitHub Security tab | ✅ Implemented |
| CC8.1 | Change management | Mandatory PRs, peer + automated review, required status checks before merge, full Git/Actions audit trail | ✅ Implemented |
Pipeline Architecture
[Local git hooks] → runs unit tests before every commit; blocks on failure
Pull Request / Push to main
│
├─► GitHub Actions (validation layer)
│ ├─ Security Scanning → Trivy (filesystem vuln scan) → GitHub Security tab + artifact
│ ├─ Compliance Checks → TruffleHog (secret detection on the PR diff)
│ └─ Claude Code Review → automated AI review, posts findings as PR comments
│
└─► Vercel (deployment layer)
├─ Build gate → `NODE_ENV=production next build` must succeed; refuses deploy on failure
├─ PR opened → automatic preview deployment
├─ Merge main → production deployment
└─ Rollback → one-click revert via deployment history
Pre-commit (local hooks): unit tests run before every commit; blocks on failure — catches issues before they leave the developer machine. Validation layer (GitHub Actions): security, compliance, and code-review gates on every PR/push. Deployment layer (Vercel): build gate, hosting, environment separation, rollback.
GitHub Actions Workflows (Verified)
The workflows below are taken directly from the live candidate repository (.github/workflows/). The same pattern is applied across Qwestly's application repositories per the canonical CI/CD System Documentation.
1. Security & Compliance Pipeline — ci-cd.yml
Triggers: push to main, pull_request to main
Permissions (least privilege): contents: read, security-events: write, actions: read
| Job | Tool | Purpose | Output |
|---|---|---|---|
security-scan |
Trivy (aquasecurity/trivy-action) |
Filesystem vulnerability + dependency scan | SARIF uploaded to GitHub Security tab; results also retained as a build artifact (30-day retention) |
compliance-checks |
TruffleHog (trufflesecurity/trufflehog) |
Detect secrets/credentials introduced in the PR diff | Fails the check if a verified secret is found |
Key control points:
- Trivy results upload to the GitHub Security tab (
github/codeql-action/upload-sarif), with an artifact fallback so scan evidence is always retained. - TruffleHog scans the diff between the PR base and head, so newly introduced secrets are caught before merge.
2. Automated Code Review — claude-code-review.yml
Triggers: pull_request (opened, synchronize) and PR comments containing codebot (manual re-run).
Permissions: contents: read, pull-requests: write, issues: read, id-token: write
- Every PR receives an automated review (
anthropics/claude-code-action) that reads the diff, compares against previously flagged issues, and posts a summary comment (optionally inline comments when theINLINE_COMMENTSrepo variable is set totrue). - Reviewers can re-trigger the review by commenting
codebotafter pushing more commits. - Runtime is capped (
timeout-minutes: 15) and bot authors are allow-listed (qwestly,dependabot).
This provides a consistent automated reviewer on top of human peer review for every change.
Repositories In Scope
| Repository | Purpose | CI/CD Coverage |
|---|---|---|
candidate |
Candidate-facing portal | Trivy + TruffleHog + Claude Code Review (verified in this doc); Vercel deploy |
public-site |
Marketing website | Per canonical CI/CD doc; Vercel deploy |
api-python |
Python backend services | Per canonical CI/CD doc (security scan, Python quality, compliance) |
Pre-commit hooks (
hooks/): Installed vianpm run install-hooks(cp hooks/* .git/hooks/). On every commit, unit tests (vitest) run automatically. If any test fails, the commit is blocked — issues are caught at the developer's machine before code reaches GitHub. ThecandidateCI workflow currently focuses on security and secret scanning; full lint/test enforcement in CI is tracked as a continuous-improvement item.
Change Management Controls (CC8.1)
- Mandatory pull requests — no direct commits to
main; all changes flow through PRs. - Required status checks — Security Scanning, Compliance Checks, and Claude Code Review run on every PR; a PR cannot merge until required checks pass (enforced via GitHub branch protection).
- Peer review — at least one human approval required in addition to the automated review.
- Audit trail — Git commit history (author + timestamp), GitHub Actions run logs, and Vercel deployment history give end-to-end, attributable traceability from commit to production.
- Rollback — production can be reverted instantly from the Vercel deployment history.
Deployment Layer (Vercel)
- Build gate: Vercel runs
NODE_ENV=production next buildbefore every deployment. If the build fails (TypeScript errors, compilation failure, etc.), the deployment is refused — no broken code reaches staging or production. - Preview deployments are created automatically for every PR, giving a tested environment before merge.
- Production deployments are triggered only by merges to
main. - Environment variables / secrets are managed in the Vercel dashboard (not committed to source).
- Rollback is one click via deployment history.
Testing & Validation
| What | When | Result |
|---|---|---|
Confirmed ci-cd.yml runs Trivy + TruffleHog on PR/push to main |
June 2026 | ✅ Verified from live workflow file |
Confirmed claude-code-review.yml runs automated review on every PR |
June 2026 | ✅ Verified from live workflow file |
| Confirmed least-privilege workflow permissions | June 2026 | ✅ contents: read default; elevated scopes granted per job only |
| Branch protection / required checks | June 2026 | ✅ Settings screenshot captured (evidence item 2) |
Continuous Improvement
- Review cadence: Annual (per audit window) plus on any material pipeline change.
- Change control for the pipeline: workflow edits go through the same PR + review process as application code.
- Tracked improvement: enable full lint/unit/E2E enforcement in the
candidateCI workflow (currently enforced locally via pre-commit hooks; adding to CI would provide a cloud-based fail-stop at the PR level). - Next review: June 2027 (or at next significant CI/CD change).