Riesgo de Terceros en Pipelines CI/CD bajo DORA Artículo 28

por

DORA Artículo 28 exige que las entidades financieras gestionen los riesgos introducidos por los proveedores de servicios ICT de terceros.

En la entrega moderna de software, los pipelines CI/CD son de los sistemas con mayor dependencia de terceros dentro de la organización.

Las plataformas Git, los runners de CI, los plugins y los registros de artefactos no son simplemente opciones de herramientas — son servicios externos integrados que influyen directamente en la integridad del software, la disponibilidad y la resiliencia operacional.

Este artículo se centra específicamente en el riesgo de terceros dentro de los pipelines CI/CD, explicando dónde surgen estos riesgos, cómo se aplica DORA Artículo 28 y qué controles esperan ver los auditores aplicados.

DORA Article 28 — Tools → Controls → Evidence Diagram mapping enterprise DevSecOps tooling to enforceable CI/CD controls and resulting audit evidence, with cross-cutting DORA Article 28 third-party governance requirements. Tools → Controls → Evidence DORA Article 28 view: third-party ICT governance enforced through CI/CD controls and provable evidence. CROSS-CUTTING (ARTICLE 28) Supplier governance Contract clauses Monitoring Exit plan Evidence retention MAPPING LAYER Tools Platforms & services Controls Enforced requirements Evidence What auditors verify TOOLS Git / Source Hosting CI/CD Orchestrator + Runners Registries + Dependencies Cloud Runtime + Observability CONTROLS Access control + MFA + SoD Approvals + policy gates Integrity: SBOM + signing + provenance Monitoring + incident workflows EVIDENCE Audit logs + access reviews Approvals & change traceability SBOM + attestations + signatures Monitoring data + incident records Tip: Under DORA Article 28, tools are acceptable only if they enforce controls and continuously produce auditable evidence.
Diagram mapping enterprise DevSecOps tooling to enforceable CI/CD controls and resulting audit evidence, with cross-cutting DORA Article 28 third-party governance requirements.
CI/CD Red Flags — DORA Article 28 (Third-Party Risk) Enterprise CI/CD diagram highlighting common DORA Article 28 third-party risk red flags: missing exit plan, shared runners, lack of sub-processor visibility, missing audit rights, and missing evidence retention. CI/CD Red Flags — DORA Article 28 Third-party risk failures auditors frequently flag in Git, CI/CD SaaS, runners, registries, and cloud runtime. CROSS-CUTTING (ARTICLE 28) Supplier governance Audit rights Exit strategy Evidence retention Git Hosting GitHub / GitLab SaaS No audit rights CI/CD SaaS Orchestrator No exit plan CI Runners Cloud execution Shared runners Registries Artifacts + images No retention Cloud Runtime Prod services No sub-processor view ENGINEER REMEDIATION HINTS Tested exit strategy (CI/CD) Dedicated / isolated runners Supplier + sub-processor map Centralized logs + retention Auditor rule: if controls cannot produce time-bound evidence on demand, they are treated as ineffective under Article 28. Focus areas: CI/CD platform scope, contractual auditability, runner isolation, sub-processor governance, and evidence retention.
Enterprise CI/CD diagram highlighting common DORA Article 28 third-party risk red flags: missing exit plan, shared runners, lack of sub-processor visibility, missing audit rights, and missing evidence retention.

Por qué los Pipelines CI/CD son un Punto de Concentración de Riesgo de Terceros

Los pipelines CI/CD agregan múltiples dependencias externas en un único flujo de ejecución:

  • el código fuente está alojado externamente,
  • las compilaciones a menudo se ejecutan en infraestructura compartida o gestionada,
  • el código de terceros se descarga automáticamente,
  • los artefactos son almacenados y distribuidos por servicios externos.

Desde la perspectiva de DORA, los pipelines CI/CD representan:

  • dependencias ICT de alto impacto,
  • con acceso privilegiado,
  • operando a velocidad de máquina,
  • y capaces de propagar fallos o compromisos directamente a producción.

Como resultado, las plataformas CI/CD deben tratarse como servicios ICT de terceros dentro del alcance del Artículo 28.