This checklist highlights common CI/CD-related red flags under DORA Article 28.
Each item represents a situation frequently identified during audits as a third-party ICT risk failure.
If one or more items apply, auditors may classify the CI/CD platform or supplier as high-risk or non-compliant.
CI/CD Third-Party Red Flags Checklist (Quick Review)
Governance & Exit Strategy
- ⬜ No documented exit plan for CI/CD SaaS platforms
- ⬜ Exit plan exists but has never been tested technically
- ⬜ No ability to export historical CI/CD logs and artifacts
- ⬜ Pipelines cannot be redeployed on an alternative platform
CI/CD Infrastructure & Isolation
- ⬜ CI jobs run on shared or multi-tenant runners without clear isolation guarantees
- ⬜ Runner isolation mechanisms are undocumented or unknown
- ⬜ CI execution environment is controlled entirely by the provider
- ⬜ Secrets are exposed to third-party execution contexts
Supplier & Sub-Processor Visibility
- ⬜ CI/CD SaaS provider is not listed in the ICT third-party inventory
- ⬜ Sub-processors (cloud, runners, registries) are not identified
- ⬜ No risk classification for CI/CD-related third parties
- ⬜ Supplier criticality does not influence applied controls
Contractual & Legal Controls
- ⬜ CI/CD contracts do not include audit or inspection rights
- ⬜ Audit rights exist but are not practically enforceable
- ⬜ No contractual incident notification SLA
- ⬜ Exit and termination clauses are missing or unclear
Evidence & Auditability
- ⬜ CI/CD logs are retained for a short or undefined period
- ⬜ Approval and change records are not traceable
- ⬜ Artifact metadata and provenance are missing
- ⬜ Evidence is collected manually only during audits
CI/CD Governance & Policy Enforcement
- ⬜ No approval gates for pipeline changes
- ⬜ Unrestricted use of marketplace plugins or actions
- ⬜ No version pinning or review for third-party CI/CD components
- ⬜ Controls vary across pipelines without justification
Auditor-Style Checklist (Yes / No)
| Checkpoint | Yes | No |
|---|---|---|
| CI/CD platforms are included in the ICT third-party inventory | ⬜ | ⬜ |
| CI/CD suppliers are risk-classified | ⬜ | ⬜ |
| Exit strategies exist and are technically feasible | ⬜ | ⬜ |
| CI runners are isolated and controlled | ⬜ | ⬜ |
| Sub-processors are identified and governed | ⬜ | ⬜ |
| Audit rights are contractually defined | ⬜ | ⬜ |
| Incident notification SLAs are in place | ⬜ | ⬜ |
| CI/CD logs are retained and protected | ⬜ | ⬜ |
| Approvals and policy gates are enforced | ⬜ | ⬜ |
| Evidence can be produced on demand | ⬜ | ⬜ |
Red Flags Explained (Audit Interpretation)
| Red Flag | Why Auditors Care | Expected Control |
|---|---|---|
| No exit plan | Vendor lock-in risk | Tested technical exit strategy |
| Shared runners | Confidentiality & integrity risk | Isolated or dedicated runners |
| No sub-processor visibility | Hidden risk exposure | Full supply chain mapping |
| No audit rights | No independent verification | Enforceable audit clauses |
| No evidence retention | Controls cannot be proven | Automated log retention |
How Auditors Use This Checklist
Auditors do not expect zero risk.
They expect:
- risks to be identified,
- controls to be enforced,
- evidence to be available and consistent.
Multiple unchecked items in the same category often result in:
- high-risk classification,
- remediation plans,
- follow-up audits.
How to Use This Checklist Internally
Recommended usage:
- run it before an audit,
- run it after onboarding a new CI/CD provider,
- include it in third-party risk reviews,
- link it to your CI/CD Security Checklist and Evidence Pack.
Related Content
- Third-Party Risk in CI/CD Pipelines under DORA Article 28
- DORA Article 28 Evidence Pack — What to Show Auditors
- DORA Article 28 Architecture — Explained
- CI/CD Security Checklist for Enterprises
