{"id":688,"date":"2025-12-28T11:47:08","date_gmt":"2025-12-28T10:47:08","guid":{"rendered":"https:\/\/regulated-devsecops.com\/?page_id=688"},"modified":"2026-03-26T09:17:48","modified_gmt":"2026-03-26T08:17:48","slug":"ci-cd-security","status":"publish","type":"page","link":"https:\/\/regulated-devsecops.com\/es\/ci-cd-security\/","title":{"rendered":"Seguridad CI\/CD"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Los pipelines como sistemas de control regulados<\/strong><\/h2>\n\n\n\n<p>En las industrias reguladas, los pipelines de CI\/CD no son herramientas de automatizaci\u00f3n.<br>Son sistemas TIC regulados.<\/p>\n\n\n\n<p>Aplican:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Qui\u00e9n puede modificar producci\u00f3n<\/li>\n\n\n\n<li>Qu\u00e9 comprobaciones de seguridad son obligatorias<\/li>\n\n\n\n<li>C\u00f3mo se estructuran las aprobaciones<\/li>\n\n\n\n<li>Cu\u00e1ndo se permiten los despliegues<\/li>\n\n\n\n<li>Qu\u00e9 evidencia se genera<\/li>\n<\/ul>\n\n\n\n<p>La seguridad CI\/CD no consiste en analizar c\u00f3digo.<br>Consiste en controlar el flujo del cambio.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>CI\/CD Security vs DevSecOps vs Seguridad de aplicaciones<\/strong><\/h2>\n\n\n\n<p>La seguridad en la entrega regulada es por capas.<\/p>\n\n\n\n<p><strong>Seguridad de aplicaciones<\/strong><br>Protege lo que se construye.<br>Dise\u00f1o seguro, vulnerabilidades, dependencias, protecci\u00f3n en tiempo de ejecuci\u00f3n.<\/p>\n\n\n\n<p><strong>DevSecOps<\/strong><br>Protege c\u00f3mo trabajan los equipos.<br>Gobernanza, colaboraci\u00f3n, separaci\u00f3n de roles, modelo operativo.<\/p>\n\n\n\n<p><strong>CI\/CD Security<\/strong><br>Protege c\u00f3mo llega el cambio a producci\u00f3n.<br>Pipelines, aprobaciones, integridad de artefactos, trazabilidad, aplicaci\u00f3n.<\/p>\n\n\n\n<p>CI\/CD Security es la columna vertebral de la aplicaci\u00f3n.<br>Sin \u00e9l, los dem\u00e1s controles siguen siendo orientativos.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>CI\/CD como arquitectura de aplicaci\u00f3n regulada<\/strong><\/h2>\n\n\n\n<p>En entornos empresariales:<br>Todo cambio de producci\u00f3n debe pasar por un pipeline controlado.<\/p>\n\n\n\n<p>Ese pipeline debe aplicar:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Control de identidad y acceso (RBAC, MFA)<\/li>\n\n\n\n<li>Segregaci\u00f3n de funciones<\/li>\n\n\n\n<li>Puertas de aprobaci\u00f3n obligatorias<\/li>\n\n\n\n<li>Validaci\u00f3n de seguridad (SAST, SCA, SBOM, firma)<\/li>\n\n\n\n<li>Aplicaci\u00f3n de pol\u00edtica como c\u00f3digo<\/li>\n\n\n\n<li>Registro y trazabilidad<\/li>\n<\/ul>\n\n\n\n<p>CI\/CD se convierte en:<\/p>\n\n\n\n<p>Un motor de ejecuci\u00f3n<br>And<br>Una f\u00e1brica de evidencia<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Arquitectura CI\/CD: Pipeline \u2192 Enforcement \u2192 Evidence<\/strong><\/h2>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n  <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n     viewBox=\"0 0 1000 360\"\n     role=\"img\"\n     aria-labelledby=\"title desc\">\n\n  <title id=\"title_0\">Arquitectura CI\/CD \u2014 Pipeline, evidencia y aprobaciones<\/title>\n  <desc id=\"desc_0\">\n    Arquitectura CI\/CD centrada que muestra c\u00f3mo los pipelines aplican aprobaciones,\n    controles de seguridad y generan evidencia de auditor\u00eda continua.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --accent:#2563eb;\n      --accentSoft:#dbeafe;\n\n      --evidence:#059669;\n      --evidenceSoft:#d1fae5;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:700;font-size:22px;fill:var(--text);}\n    .sub{font-size:14px;fill:var(--muted);}\n    .label{font-weight:600;font-size:14px;fill:var(--text);}\n    .small{font-size:12px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:14;}\n    .chip{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:6;}\n    .chipText{font-weight:600;font-size:12px;fill:var(--text);}\n\n    .main .card{stroke:var(--accent);}\n    .main .chip{stroke:var(--accent);fill:var(--accentSoft);}\n\n    .evidence .chip{stroke:var(--evidence);fill:var(--evidenceSoft);}\n\n    .flow{fill:none;stroke:var(--stroke);stroke-width:2.5;stroke-linecap:round;}\n    .arrow{marker-end:url(#arrow);}\n    .divider{stroke:var(--stroke);stroke-width:2;stroke-dasharray:6 6;}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9\" refY=\"5\"\n            markerWidth=\"7\" markerHeight=\"7\" orient=\"auto\">\n      <path d=\"M0 0 L10 5 L0 10 Z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"42\">\n    Arquitectura CI\/CD \u2014 Pipeline, Evidence &amp; Approvals\n  <\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"68\">\n    CI\/CD como sistema regulado de aplicaci\u00f3n y auditor\u00eda\n  <\/text>\n\n  <!-- Core pipeline -->\n  <g class=\"main\" transform=\"translate(40,110)\">\n    <rect class=\"card\" width=\"520\" height=\"200\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">Pipeline CI\/CD (sistema regulado)<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Todos los cambios de producci\u00f3n fluyen por este pipeline<\/text>\n\n    <g transform=\"translate(18,82)\">\n      <rect class=\"chip\" width=\"484\" height=\"28\"\/>\n      <text class=\"txt chipText\" x=\"242\" y=\"19\" text-anchor=\"middle\">\n        Control de acceso &amp; segregaci\u00f3n de funciones (RBAC, MFA)\n      <\/text>\n    <\/g>\n\n    <g transform=\"translate(18,116)\">\n      <rect class=\"chip\" width=\"484\" height=\"28\"\/>\n      <text class=\"txt chipText\" x=\"242\" y=\"19\" text-anchor=\"middle\">\n        Aprobaciones de cambio &amp; puertas de pol\u00edtica (obligatorias)\n      <\/text>\n    <\/g>\n\n    <g transform=\"translate(18,150)\">\n      <rect class=\"chip\" width=\"484\" height=\"28\"\/>\n      <text class=\"txt chipText\" x=\"242\" y=\"19\" text-anchor=\"middle\">\n        Controles de seguridad e integridad (SAST, SCA, SBOM, firma)\n      <\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Evidence -->\n  <line class=\"divider\" x1=\"600\" y1=\"90\" x2=\"600\" y2=\"350\"\/>\n\n  <g class=\"evidence\" transform=\"translate(640,110)\">\n    <rect class=\"card\" width=\"320\" height=\"200\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">Evidencia de auditor\u00eda<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Generada por el sistema, continua<\/text>\n\n    <g transform=\"translate(18,82)\">\n      <rect class=\"chip\" width=\"284\" height=\"28\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"19\" text-anchor=\"middle\">\n        Registros de aprobaci\u00f3n y despliegue\n      <\/text>\n    <\/g>\n\n    <g transform=\"translate(18,116)\">\n      <rect class=\"chip\" width=\"284\" height=\"28\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"19\" text-anchor=\"middle\">\n        Resultados de an\u00e1lisis de seguridad y decisiones de pol\u00edtica\n      <\/text>\n    <\/g>\n\n    <g transform=\"translate(18,150)\">\n      <rect class=\"chip\" width=\"284\" height=\"28\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"19\" text-anchor=\"middle\">\n        Trazabilidad: commit \u2192 artefacto \u2192 prod\n      <\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Flow -->\n  <path class=\"flow arrow\" d=\"M560 210 L640 210\"\/>\n\n<\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    Arquitectura CI\/CD centrada que muestra c\u00f3mo los pipelines aplican aprobaciones,\n    controles de seguridad y generan evidencia de auditor\u00eda continua.\n  <\/figcaption>\n<\/figure>\n\n\n\n<p>Una arquitectura CI\/CD regulada incluye:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Entrada controlada<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ramas protegidas<\/li>\n\n\n\n<li>Revisiones de pull request<\/li>\n\n\n\n<li>Derechos de fusi\u00f3n restringidos<\/li>\n\n\n\n<li>Higiene de secretos<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Pipeline con aplicaci\u00f3n de pol\u00edticas<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An\u00e1lisis de seguridad obligatorios<\/li>\n\n\n\n<li>Validaci\u00f3n de dependencias<\/li>\n\n\n\n<li>Firma de artefactos<\/li>\n\n\n\n<li>Puertas de aprobaci\u00f3n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Versi\u00f3n controlada<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Roles de despliegue segregados<\/li>\n\n\n\n<li>Promoci\u00f3n con aplicaci\u00f3n de pol\u00edticas<\/li>\n\n\n\n<li>Restricciones de entorno<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Generaci\u00f3n continua de evidencia<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Registros de aprobaci\u00f3n<\/li>\n\n\n\n<li>Resultados de an\u00e1lisis de seguridad<\/li>\n\n\n\n<li>Historial de despliegues<\/li>\n\n\n\n<li>Trazabilidad de artefactos (commit \u2192 compilaci\u00f3n \u2192 artefacto \u2192 prod)<\/li>\n<\/ul>\n\n\n\n<p>La evidencia debe generarse autom\u00e1ticamente, no reconstruirse manualmente.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Ciclo de vida del pipeline CI\/CD seguro<\/strong><\/h2>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n  <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n       viewBox=\"0 0 1200 420\"\n       role=\"img\"\n       aria-labelledby=\"gp-rds-title gp-rds-desc\"\n       class=\"gp-rds-svg\">\n\n    <title id=\"gp-rds-title\">\n      DevSecOps\n    <\/title>\n\n    <desc id=\"gp-rds-desc\">\n      SAST aplicado a nivel de desarrollador para retroalimentaci\u00f3n r\u00e1pida y en pipelines CI\/CD\n      para la aplicaci\u00f3n de pol\u00edticas, junto con SCA y SBOM.\n    <\/desc>\n\n    <style>\n    \/* Default = light *\/\n    :root{\n      --bg: transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n      --accent:#2563eb;\n      --accentSoft:#dbeafe;\n    }\n\n    \/* Optional dark theme *\/\n    svg[data-theme=\"dark\"]{\n      --text:#e5e7eb;\n      --muted:#9ca3af;\n      --stroke:#374151;\n      --card:#0b1220;\n      --accent:#60a5fa;\n      --accentSoft:#0b2a55;\n    }\n\n    .txt{font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Arial;}\n    .title{font-weight:700; font-size:22px; fill:var(--text);}\n    .sub{font-weight:500; font-size:14px; fill:var(--muted);}\n    .label{font-weight:600; font-size:14px; fill:var(--text);}\n    .small{font-weight:500; font-size:12px; fill:var(--muted);}\n\n    .card{\n      fill:var(--card);\n      stroke:var(--stroke);\n      stroke-width:1.5;\n      rx:14;\n    }\n\n    \/* \ud83d\udd34 ICI la conversion ovale \u2192 rectangle *\/\n    .chip{\n      fill:transparent;\n      stroke:var(--stroke);\n      stroke-width:1.5;\n      rx:6;\n    }\n\n    .chipText{font-weight:600; font-size:12px; fill:var(--text);}\n\n    .band{\n      fill:transparent;\n      stroke:var(--stroke);\n      stroke-width:1.5;\n      rx:18;\n      stroke-dasharray:6 6;\n    }\n\n    .hl .chip{stroke:var(--accent); fill:var(--accentSoft);}\n    .hl .card{stroke:var(--accent);}\n    .dim{opacity:.45;}\n\n    .flow{fill:none; stroke:var(--stroke); stroke-width:2.5; stroke-linecap:round; stroke-linejoin:round;}\n    .arrow{marker-end:url(#arrow);}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9.2\" refY=\"5\" markerWidth=\"7\" markerHeight=\"7\" orient=\"auto-start-reverse\">\n      <path d=\"M 0 0 L 10 5 L 0 10 z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <rect x=\"0\" y=\"0\" width=\"1200\" height=\"420\" fill=\"var(--bg)\"\/>\n  <text class=\"txt title\" x=\"40\" y=\"48\">CI\/CD Security<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">Ciclo de vida del pipeline CI\/CD seguro<\/text>\n\n  <g>\n    <rect class=\"band\" x=\"40\" y=\"320\" width=\"1120\" height=\"70\" \/>\n    <text class=\"txt bandText\" x=\"60\" y=\"345\">CONTROLES TRANSVERSALES<\/text>\n\n    <g transform=\"translate(60,356)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"160\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"80\" y=\"19\" text-anchor=\"middle\">Registro<\/text>\n    <\/g>\n    <g transform=\"translate(240,356)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"180\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"80\" y=\"19\" text-anchor=\"middle\">Rastros de auditor\u00eda<\/text>\n    <\/g>\n    <g transform=\"translate(440,356)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"220\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"110\" y=\"19\" text-anchor=\"middle\">Evidencia de pol\u00edtica y cumplimiento<\/text>\n    <\/g>\n    <g transform=\"translate(680,356)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"200\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"100\" y=\"19\" text-anchor=\"middle\">Monitorizaci\u00f3n y alertas<\/text>\n    <\/g>\n    <g transform=\"translate(900,356)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"240\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"120\" y=\"19\" text-anchor=\"middle\">Retenci\u00f3n y control de acceso<\/text>\n    <\/g>\n  <\/g>\n\n  <g id=\"DEV\" transform=\"translate(40,110)\">\n    <rect class=\"card\" x=\"0\" y=\"0\" width=\"190\" height=\"180\" rx=\"14\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">Desarrollador<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Commit \u2022 PR \u2022 Revisi\u00f3n<\/text>\n    <g id=\"SAST\" transform=\"translate(18,82)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"154\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"77\" y=\"19\" text-anchor=\"middle\">SAST (retroalimentaci\u00f3n r\u00e1pida)<\/text>\n    <\/g>\n  <\/g>\n\n  <g id=\"SRC\" transform=\"translate(260,110)\">\n    <rect class=\"card\" x=\"0\" y=\"0\" width=\"190\" height=\"180\" rx=\"14\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">C\u00f3digo fuente<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Git \u2022 Pol\u00edticas de ramas<\/text>\n    <g id=\"ACCESS\" transform=\"translate(18,82)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"154\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"77\" y=\"19\" text-anchor=\"middle\">Access control<\/text>\n    <\/g>\n    <g id=\"SECRETS\" transform=\"translate(18,114)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"154\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"77\" y=\"19\" text-anchor=\"middle\">Higiene de secretos<\/text>\n    <\/g>\n  <\/g>\n\n  <g id=\"CICD\" transform=\"translate(480,110)\">\n    <rect class=\"card\" x=\"0\" y=\"0\" width=\"220\" height=\"180\" rx=\"14\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">CI\/CD Pipeline<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Orquestaci\u00f3n de compilaci\u00f3n<\/text>\n\n    <g id=\"SAST_PIPELINE\" transform=\"translate(18,82)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"184\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"92\" y=\"19\" text-anchor=\"middle\">SAST (aplicaci\u00f3n de pol\u00edticas)<\/text>\n    <\/g>\n\n    <g id=\"SCA\" transform=\"translate(18,114)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"184\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"92\" y=\"19\" text-anchor=\"middle\">SCA (dependencias)<\/text>\n    <\/g>\n\n    <g id=\"SBOM\" transform=\"translate(18,146)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"184\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"92\" y=\"19\" text-anchor=\"middle\">SBOM \/ provenance<\/text>\n    <\/g>\n  <\/g>\n\n  <g id=\"DEPLOY\" transform=\"translate(730,110)\">\n    <rect class=\"card\" x=\"0\" y=\"0\" width=\"200\" height=\"180\" rx=\"14\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">Despliegue<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Versi\u00f3n \u2022 Aprobaciones<\/text>\n\n    <g id=\"GATES\" transform=\"translate(18,82)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"164\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"82\" y=\"19\" text-anchor=\"middle\">Puertas de pol\u00edtica<\/text>\n    <\/g>\n    <g id=\"DAST\" transform=\"translate(18,114)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"164\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"82\" y=\"19\" text-anchor=\"middle\">DAST (staging)<\/text>\n    <\/g>\n  <\/g>\n\n  <g id=\"EJECUCI\u00d3N\" transform=\"translate(960,110)\">\n    <rect class=\"card\" x=\"0\" y=\"0\" width=\"200\" height=\"180\" rx=\"14\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"34\">Tiempo de ejecuci\u00f3n<\/text>\n    <text class=\"txt small\" x=\"18\" y=\"58\">Controles de producci\u00f3n<\/text>\n\n    <g id=\"IAST\" transform=\"translate(18,82)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"164\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"82\" y=\"19\" text-anchor=\"middle\">IAST (pruebas)<\/text>\n    <\/g>\n    <g id=\"RASP\" transform=\"translate(18,114)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"164\" height=\"28\" rx=\"6\"\/>\n      <text class=\"txt chipText\" x=\"82\" y=\"19\" text-anchor=\"middle\">RASP (protecci\u00f3n)<\/text>\n    <\/g>\n  <\/g>\n\n  <path class=\"flow arrow\" d=\"M 230 200 L 260 200\"\/>\n  <path class=\"flow arrow\" d=\"M 450 200 L 480 200\"\/>\n  <path class=\"flow arrow\" d=\"M 700 200 L 730 200\"\/>\n  <path class=\"flow arrow\" d=\"M 930 200 L 960 200\"\/>\n\n  <\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    Los controles de seguridad deben aplicarse en los pipelines de CI\/CD para prevenir vulnerabilidades, reducir el riesgo de la cadena de suministro y garantizar una entrega de software conforme.\n  <\/figcaption>\n<\/figure>\n\n\n\n<p>La seguridad CI\/CD abarca toda la cadena de entrega:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Desarrollador Stage<\/strong><\/h3>\n\n\n\n<p>SAST de retroalimentaci\u00f3n r\u00e1pida<br>Protecci\u00f3n de ramas<br>Detecci\u00f3n de secretos<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Fase del pipeline<\/strong><\/h3>\n\n\n\n<p>Aplicaci\u00f3n de SAST basada en pol\u00edticas<br>Generaci\u00f3n de SCA &amp; SBOM<br>Integridad y firma de artefactos<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Desplieguement Stage<\/strong><\/h3>\n\n\n\n<p>Puertas de aprobaci\u00f3n<br>Segregaci\u00f3n de funciones<br>Promoci\u00f3n controlada<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Tiempo de ejecuci\u00f3n Validation<\/strong><\/h3>\n\n\n\n<p>DAST en staging<br>Integraci\u00f3n de monitorizaci\u00f3n<br>Correlaci\u00f3n del rastro de auditor\u00eda<br>La seguridad debe aplicarse de extremo a extremo.<br>Las brechas entre fases crean riesgos.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Core CI\/CD Security Controls<\/strong><\/h2>\n\n\n\n<p>Enterprise-grade CI\/CD security relies on a consistent baseline:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Identity &amp; Access Governance<\/strong><\/h3>\n\n\n\n<p>Least privilege<br>MFA enforcement<br>Role separation<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Gesti\u00f3n de secretos<\/strong><\/h3>\n\n\n\n<p>Centralized vaults<br>Rotation policies<br>No hard-coded credentials<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Integrity &amp; Supply Chain Controls<\/strong><\/h3>\n\n\n\n<p>Firma de artefactos<br>Generaci\u00f3n de SBOM<br>Validaci\u00f3n de dependencias<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Policy Enforcement<\/strong><\/h3>\n\n\n\n<p>Non-bypassable gates<br>Structured exception handling<br>Override traceability<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Registro &amp; Monitoring<\/strong><\/h3>\n\n\n\n<p>Centralized logs<br>Tamper resistance<br>Retention governance<\/p>\n\n\n\n<p>These controls ensure pipelines remain:<br>Predictable<br>Enforceable<br>Auditable<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>CI\/CD Security Risks in Enterprise Environments<\/strong><\/h2>\n\n\n\n<p>Common pipeline weaknesses include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Excessive runner privileges<\/li>\n\n\n\n<li>Unrestricted production deployment rights<\/li>\n\n\n\n<li>Shared credentials<\/li>\n\n\n\n<li>Uncontrolled manual overrides<\/li>\n\n\n\n<li>Missing artifact traceability<\/li>\n\n\n\n<li>Fragmented logging<\/li>\n<\/ul>\n\n\n\n<p>In regulated contexts, these are not just technical issues.<br>They are audit findings.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why Auditors Review CI\/CD Pipelines<\/strong><\/h2>\n\n\n\n<p>Auditors assess whether:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All production changes are traceable<\/li>\n\n\n\n<li>Duties are properly segregated<\/li>\n\n\n\n<li>Security checks are mandatory<\/li>\n\n\n\n<li>Approvals are documented<\/li>\n\n\n\n<li>Evidence is retained<\/li>\n<\/ul>\n\n\n\n<p>They do not ask whether pipelines exist.<br>They ask whether pipelines enforce control.<\/p>\n\n\n\n<p>CI\/CD security is therefore central to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DORA ICT risk management<\/li>\n\n\n\n<li>NIS2 supply chain governance<\/li>\n\n\n\n<li>ISO 27001 change control<\/li>\n\n\n\n<li>SOC 2 change management<\/li>\n\n\n\n<li>PCI DSS secure development<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>CI\/CD Security as Continuous Compliance<\/strong><\/h2>\n\n\n\n<p>When properly designed:<br>CI\/CD pipelines continuously enforce compliance requirements.<\/p>\n\n\n\n<p>They:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block non-compliant changes<\/li>\n\n\n\n<li>Log policy decisions<\/li>\n\n\n\n<li>Preserve traceability<\/li>\n\n\n\n<li>Produce audit-ready outputs<\/li>\n<\/ul>\n\n\n\n<p>Compliance becomes systemic.<br>Not periodic.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Relationship with Other Security Domains<\/strong><\/h2>\n\n\n\n<p>CI\/CD Security anchors the security model:<\/p>\n\n\n\n<p>DevSecOps defines how teams operate.<br>Seguridad de aplicaciones protects application logic and runtime.<br>Compliance defines regulatory expectations.<\/p>\n\n\n\n<p>CI\/CD Security ensures that controls are enforced before production.<br>It is the control gate between engineering and regulated operations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Executive Perspective<\/strong><\/h2>\n\n\n\n<p>For leadership, strong CI\/CD security provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced operational risk<\/li>\n\n\n\n<li>Reduced audit friction<\/li>\n\n\n\n<li>Improved change transparency<\/li>\n\n\n\n<li>Stronger supply chain resilience<\/li>\n<\/ul>\n\n\n\n<p>For engineering, it provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Clear enforcement rules<\/li>\n\n\n\n<li>Reduced ambiguity<\/li>\n\n\n\n<li>Automatizados governance<\/li>\n\n\n\n<li>Predictable release workflows<\/li>\n<\/ul>\n\n\n\n<p>When pipelines are designed as regulated systems, both speed and control improve.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Featured CI\/CD Security Topics<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/regulated-devsecops.com\/es\/ci-cd-governance-es\/ci-cd-security-checklist-for-enterprises\/\" data-type=\"post\" data-id=\"32\">CI\/CD Security Checklist for Enterprises<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/es\/ci-cd-security\/secrets-management-in-ci-cd-pipelines\/\" data-type=\"post\" data-id=\"111\">Gesti\u00f3n de secretos in CI\/CD Pipelines<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/es\/ci-cd-security\/how-to-secure-github-actions-in-enterprise-environments\/\" data-type=\"post\" data-id=\"148\">How to Secure GitCentro Actions in Enterprise Environments<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/ci-cd-governance\/ci-cd-based-enforcement-models\/\" data-type=\"post\" data-id=\"815\">CI\/CD-Based Enforcement Models<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/regulated-devsecops.com\/es\/ci-cd-governance-es\/ci-cd-enforcement-layer\/\" data-type=\"post\" data-id=\"899\">CI\/CD Enforcement Layer<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Final Principle<\/strong><\/h2>\n\n\n\n<p>CI\/CD security is not about adding tools.<br>It is about designing pipelines as regulated systems.<\/p>\n\n\n\n<p>In enterprise environments, CI\/CD pipelines are:<br>Control points<br>Capas de aplicaci\u00f3n<br>Evidence generators<\/p>\n\n\n\n<p>They are where security, governance, and compliance converge.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Los pipelines como sistemas de control regulados En las industrias reguladas, los pipelines de CI\/CD no son herramientas de automatizaci\u00f3n.Son sistemas TIC regulados. Aplican: La seguridad CI\/CD no consiste en analizar c\u00f3digo.Consiste en controlar el flujo del cambio. CI\/CD Security vs DevSecOps vs Seguridad de aplicaciones La seguridad en la entrega regulada es por capas. &#8230; <a title=\"Seguridad CI\/CD\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/es\/ci-cd-security\/\" aria-label=\"Leer m\u00e1s sobre Seguridad CI\/CD\">Leer m\u00e1s<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":200,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-688","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/pages\/688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/comments?post=688"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/pages\/688\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/media?parent=688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}