This mapping connects commonly used enterprise DevSecOps and CI/CD tools to the controls required under DORA Article 28, and the evidence auditors expect to review.
The objective is to remove ambiguity between tooling, governance, and compliance.
1. Source Code Management (Git Platforms)
Typical tools
- GitHub Enterprise
- GitLab
- Bitbucket
| Controls enforced | Evidence produced |
|---|---|
| Role-based access control | Repository access logs |
| Segregation of duties (PR vs merge) | Branch protection rules |
| Mandatory reviews & approvals | Pull request history |
| Change traceability | Commit history |
| Third-party access governance | User and token audit logs |
Article 28 relevance:
Git platforms are ICT third-party providers influencing code integrity.
2. CI/CD Orchestration Platforms
Typical tools
- GitHub Actions
- GitLab CI
- Jenkins (managed)
- Azure DevOps Pipelines
| Controls enforced | Evidence produced |
|---|---|
| Pipeline approval gates | Pipeline configuration exports |
| Policy-as-code enforcement | Policy definitions |
| Controlled execution environments | Runner configuration |
| Least privilege pipeline tokens | Token scope configuration |
| Pipeline change logging | CI/CD audit logs |
Article 28 relevance:
CI/CD SaaS platforms must be governed as critical ICT suppliers.
3. Build & Dependency Security (SCA / SBOM)
Typical tools
- Snyk
- Dependency-Check
- Mend
- GitHub Dependabot
- Syft / CycloneDX
| Controls enforced | Evidence produced |
|---|---|
| Dependency risk analysis | SCA reports |
| SBOM generation | SBOM files |
| Provenance tracking | Build metadata |
| Vulnerability monitoring | Alerts and reports |
| Supply chain transparency | Dependency inventories |
Article 28 relevance:
Provides visibility into third-party software risks and subprocessors.
4. Artifact Repositories & Registries
Typical tools
- Artifactory
- Nexus
- Docker registries
- Cloud container registries
| Controls enforced | Evidence produced |
|---|---|
| Access control on artifacts | Repository access logs |
| Artifact immutability | Repository configuration |
| Artifact signing | Signature verification |
| Provenance verification | Attestation records |
| Retention policies | Retention configuration |
Article 28 relevance:
Protects integrity of deliverables provided by third-party systems.
5. Runtime & Cloud Platforms
Typical tools
- AWS / Azure / GCP
- Kubernetes platforms
- Managed PaaS services
| Controls enforced | Evidence produced |
|---|---|
| IAM and role separation | IAM policy exports |
| Network isolation | Security group configs |
| Runtime monitoring | Logs and metrics |
| Incident detection | Alerts |
| Availability monitoring | SLA reports |
Article 28 relevance:
Cloud providers are critical ICT third-party service providers.
6. Secrets Management
Typical tools
- HashiCorp Vault
- Cloud-native secret managers
- CI/CD secret stores
| Controls enforced | Evidence produced |
|---|---|
| Centralized secrets storage | Secret inventory |
| Access restriction | Access logs |
| Secret rotation | Rotation records |
| Prevention of hard-coded secrets | Scan reports |
| Auditability | Secret access trails |
Article 28 relevance:
Controls access to sensitive data managed by third-party platforms.
7. Monitoring, Logging & SIEM
Typical tools
- Splunk
- Elastic
- Datadog
- Cloud-native logging
| Controls enforced | Evidence produced |
|---|---|
| Centralized log collection | Log ingestion records |
| Monitoring of third-party services | Dashboards |
| Alerting on incidents | Alert logs |
| Incident correlation | Incident tickets |
| Evidence retention | Retention policies |
Article 28 relevance:
Supports continuous monitoring and incident evidence obligations.
8. Identity & Access Management (IAM)
Typical tools
- Enterprise IAM
- Cloud IAM
- SSO platforms
| Controls enforced | Evidence produced |
|---|---|
| Centralized identity management | User inventories |
| MFA enforcement | Authentication logs |
| Role separation | Role definitions |
| Access reviews | Review records |
| Access revocation | Offboarding logs |
Article 28 relevance:
Ensures controlled access to third-party ICT platforms.
9. Governance & Risk Management Platforms
Typical tools
- GRC platforms
- CMDB
- Risk registers
| Controls enforced | Evidence produced |
|---|---|
| Supplier inventory | Supplier registers |
| Risk assessments | Risk reports |
| Criticality classification | Classification records |
| Control ownership | RACI documentation |
| Audit preparation | Evidence repositories |
Article 28 relevance:
Provides governance backbone for third-party ICT risk management.
End-to-End View (Key Insight)
Under DORA Article 28:
- Tools do not equal compliance
- Controls create compliance
- Evidence proves compliance
Tools are acceptable only if they enforce controls and generate verifiable evidence.
How Auditors Use This Mapping
Auditors typically:
- Identify the ICT third-party provider
- Verify controls enforced through tooling
- Request direct evidence outputs
- Validate consistency over time
Any missing link between tool → control → evidence is a potential finding.
Final Takeaway
A DORA-aligned CI/CD environment is one where:
- every third-party tool is governed,
- every control is enforced technically,
- every control produces evidence automatically.
This mapping enables continuous compliance, not last-minute audit preparation.
Recommended Related Content
- DORA Article 28 — Evidence Pack
- DORA Article 28 — Auditor Checklist
- DORA Article 28 — Architecture Explained
