{"id":1937,"date":"2026-01-13T11:03:38","date_gmt":"2026-01-13T10:03:38","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/senales-de-alerta-en-ci-cd-por-regulacion-explicado\/"},"modified":"2026-03-26T09:46:06","modified_gmt":"2026-03-26T08:46:06","slug":"senales-de-alerta-en-ci-cd-por-regulacion-explicado","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/es\/regulatory-frameworks-es\/senales-de-alerta-en-ci-cd-por-regulacion-explicado\/","title":{"rendered":"Se\u00f1ales de Alerta en CI\/CD por Regulaci\u00f3n \u2014 Explicado"},"content":{"rendered":"\n<p><strong>How DORA, NIS2, and ISO 27001 Auditors Interpret the Same Pipeline Differently<\/strong><\/p>\n\n<p>CI\/CD pipelines are increasingly central to regulatory compliance, but <strong>not all regulations assess them the same way<\/strong>. While the technical tooling may be identical, auditors interpret risks, controls, and weaknesses differently depending on the regulatory framework.<\/p>\n\n<p>This article explains <strong>how CI\/CD red flags vary across DORA, NIS2, and ISO 27001<\/strong>, and why understanding these differences is essential for avoiding audit findings.<\/p>\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n  <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewbox=\"0 0 1200 460\" role=\"img\" aria-labelledby=\"title desc\">\n\n  <title id=\"title\">CI\/CD Red Flags by Regulation<\/title>\n  <desc id=\"desc\">\n    Comparison of CI\/CD red flags as assessed under DORA, NIS2, and ISO 27001,\n    highlighting differences in audit focus and regulatory expectations.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --risk:#dc2626;\n      --riskSoft:#fee2e2;\n\n      --dora:#7c3aed;\n      --doraSoft:#ede9fe;\n\n      --nis2:#2563eb;\n      --nis2Soft:#dbeafe;\n\n      --iso:#059669;\n      --isoSoft:#d1fae5;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:700;font-size:22px;fill:var(--text);}\n    .sub{font-size:14px;fill:var(--muted);}\n    .label{font-weight:600;font-size:14px;fill:var(--text);}\n    .small{font-size:12px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:14;}\n    .chip{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:6;}\n    .chipText{font-weight:600;font-size:12px;fill:var(--text);}\n\n    .risk .chip{stroke:var(--risk);fill:var(--riskSoft);}\n\n    .dora .card{stroke:var(--dora);}\n    .dora .chip{stroke:var(--dora);fill:var(--doraSoft);}\n\n    .nis2 .card{stroke:var(--nis2);}\n    .nis2 .chip{stroke:var(--nis2);fill:var(--nis2Soft);}\n\n    .iso .card{stroke:var(--iso);}\n    .iso .chip{stroke:var(--iso);fill:var(--isoSoft);}\n\n    .divider{stroke:var(--stroke);stroke-width:2;stroke-dasharray:6 6;}\n  <\/style>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"42\">CI\/CD Red Flags by Regulation<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"68\">\n    Same pipeline \u2022 Different regulatory expectations\n  <\/text>\n\n  <!-- DORA -->\n  <g class=\"dora\" transform=\"translate(40,100)\">\n    <text class=\"txt label\">DORA<\/text>\n    <text class=\"txt small\" y=\"20\">Operational resilience &#038; ICT governance<\/text>\n\n    <g transform=\"translate(0,40)\">\n      <rect class=\"card\" width=\"340\" height=\"280\"><\/rect>\n      <text class=\"txt label\" x=\"18\" y=\"34\">Critical Red Flags<\/text>\n\n      <g class=\"risk\" transform=\"translate(18,70)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          CI\/CD not classified as regulated ICT system\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,104)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Missing approval evidence for production changes\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,138)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Weak segregation of duties in pipelines\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,172)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Incomplete traceability commit \u2192 prod\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,206)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Evidence not retained for supervision periods\n        <\/text>\n      <\/g>\n    <\/g>\n  <\/g>\n\n  <!-- NIS2 -->\n  <g class=\"nis2\" transform=\"translate(430,100)\">\n    <text class=\"txt label\">NIS2<\/text>\n    <text class=\"txt small\" y=\"20\">Cybersecurity risk management<\/text>\n\n    <g transform=\"translate(0,40)\">\n      <rect class=\"card\" width=\"340\" height=\"280\"><\/rect>\n      <text class=\"txt label\" x=\"18\" y=\"34\">Common Red Flags<\/text>\n\n      <g class=\"risk\" transform=\"translate(18,70)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          CI\/CD excluded from supply chain scope\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,104)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Supplier risk assessments missing or outdated\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,138)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Weak dependency and supply chain visibility\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,172)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Incident response not covering suppliers\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,206)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Inadequate monitoring of CI\/CD activities\n        <\/text>\n      <\/g>\n    <\/g>\n  <\/g>\n\n  <!-- ISO 27001 -->\n  <g class=\"iso\" transform=\"translate(820,100)\">\n    <text class=\"txt label\">ISO 27001<\/text>\n    <text class=\"txt small\" y=\"20\">ISMS &#038; control effectiveness<\/text>\n\n    <g transform=\"translate(0,40)\">\n      <rect class=\"card\" width=\"340\" height=\"280\"><\/rect>\n      <text class=\"txt label\" x=\"18\" y=\"34\">Typical Red Flags<\/text>\n\n      <g class=\"risk\" transform=\"translate(18,70)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Controls documented but not enforced\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,104)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Lack of repeatable change management process\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,138)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          No evidence of control effectiveness\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,172)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Logs exist but are not reviewed\n        <\/text>\n      <\/g>\n      <g class=\"risk\" transform=\"translate(18,206)\">\n        <rect class=\"chip\" width=\"304\" height=\"28\"><\/rect>\n        <text class=\"txt chipText\" x=\"152\" y=\"19\" text-anchor=\"middle\">\n          Evidence scattered and inconsistent\n        <\/text>\n      <\/g>\n    <\/g>\n  <\/g>\n\n<\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    The diagram below illustrates how the same CI\/CD pipeline is interpreted differently by auditors depending on the regulatory framework.\n  <\/figcaption>\n<\/figure>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>Why CI\/CD Red Flags Are Regulation-Specific<\/strong><\/h2>\n\n<p>At a technical level, CI\/CD pipelines enforce:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>access control<\/li>\n\n\n\n<li>change management<\/li>\n\n\n\n<li>security testing<\/li>\n\n\n\n<li>deployment automation<\/li>\n<\/ul>\n\n<p>However, regulations focus on <strong>different risk objectives<\/strong>:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>DORA<\/strong> prioritizes operational resilience and supervisory control<\/li>\n\n\n\n<li><strong>NIS2<\/strong> prioritizes cybersecurity risk management and supply chain security<\/li>\n\n\n\n<li><strong>ISO 27001<\/strong> prioritizes control effectiveness within an ISMS<\/li>\n<\/ul>\n\n<p>As a result, the <strong>same CI\/CD weakness<\/strong> can be:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>a <strong>major non-compliance<\/strong> under DORA<\/li>\n\n\n\n<li>a <strong>risk management gap<\/strong> under NIS2<\/li>\n\n\n\n<li>a <strong>control maturity issue<\/strong> under ISO 27001<\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>DORA: CI\/CD as a Regulated ICT System<\/strong><\/h2>\n\n<h3 class=\"wp-block-heading\"><strong>How auditors think<\/strong><\/h3>\n\n<p>Under DORA, CI\/CD pipelines are treated as <strong>regulated ICT systems<\/strong>, not just engineering tools.<\/p>\n\n<p>Auditors ask:<\/p>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>Is the pipeline enforcing governance, traceability, and resilience continuously?<\/em><\/p>\n<\/blockquote>\n\n<h3 class=\"wp-block-heading\"><strong>Typical CI\/CD red flags under DORA<\/strong><\/h3>\n\n<ul class=\"wp-block-list\">\n<li>CI\/CD pipelines not formally classified as ICT assets<\/li>\n\n\n\n<li>Production changes performed outside pipelines<\/li>\n\n\n\n<li>Missing or incomplete approval evidence<\/li>\n\n\n\n<li>Weak segregation of duties in pipeline configuration<\/li>\n\n\n\n<li>Inability to reproduce historical deployment evidence<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\"><strong>Why these are critical<\/strong><\/h3>\n\n<p>DORA expects <strong>continuous, system-generated evidence<\/strong>. If CI\/CD pipelines allow exceptions, manual steps, or undocumented changes, auditors consider this a <strong>systemic governance failure<\/strong>, not a technical oversight.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>NIS2: CI\/CD as Part of the Supply Chain Risk<\/strong><\/h2>\n\n<h3 class=\"wp-block-heading\"><strong>How auditors think<\/strong><\/h3>\n\n<p>Under NIS2, CI\/CD pipelines are evaluated as part of the <strong>software and ICT supply chain<\/strong>.<\/p>\n\n<p>Auditors ask:<\/p>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>Are CI\/CD risks identified, governed, and managed proportionally?<\/em><\/p>\n<\/blockquote>\n\n<h3 class=\"wp-block-heading\"><strong>Typical CI\/CD red flags under NIS2<\/strong><\/h3>\n\n<ul class=\"wp-block-list\">\n<li>CI\/CD platforms excluded from supplier inventories<\/li>\n\n\n\n<li>Lack of supplier risk assessments for CI\/CD providers<\/li>\n\n\n\n<li>Poor visibility into dependencies and third-party integrations<\/li>\n\n\n\n<li>Incident response plans that ignore CI\/CD or suppliers<\/li>\n\n\n\n<li>Weak monitoring of pipeline activity<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\"><strong>Why these matter<\/strong><\/h3>\n\n<p>NIS2 focuses on <strong>risk awareness and preparedness<\/strong>. Auditors expect CI\/CD risks to be <strong>known, documented, and governed<\/strong>, even if controls are not as strict as under DORA.<\/p>\n\n<p>Ignoring CI\/CD in the supply chain scope is one of the most common NIS2 findings.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>ISO 27001: CI\/CD as a Control Effectiveness Test<\/strong><\/h2>\n\n<h3 class=\"wp-block-heading\"><strong>How auditors think<\/strong><\/h3>\n\n<p>ISO 27001 auditors assess whether CI\/CD pipelines <strong>demonstrate effective control implementation<\/strong> within the ISMS.<\/p>\n\n<p>Auditors ask:<\/p>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>Are documented controls actually enforced and monitored?<\/em><\/p>\n<\/blockquote>\n\n<h3 class=\"wp-block-heading\"><strong>Typical CI\/CD red flags under ISO 27001<\/strong><\/h3>\n\n<ul class=\"wp-block-list\">\n<li>CI\/CD controls documented but not technically enforced<\/li>\n\n\n\n<li>Change management processes inconsistently applied<\/li>\n\n\n\n<li>Logs collected but not reviewed<\/li>\n\n\n\n<li>Evidence scattered across tools and teams<\/li>\n\n\n\n<li>No demonstration of control effectiveness<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\"><strong>Why these matter<\/strong><\/h3>\n\n<p>ISO 27001 is less prescriptive but highly focused on <strong>evidence of effectiveness<\/strong>. A well-documented process without reliable CI\/CD enforcement is often considered insufficient.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>Comparing Red Flags Across Regulations<\/strong><\/h2>\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Area<\/strong><\/th><th><strong>DORA<\/strong><\/th><th><strong>NIS2<\/strong><\/th><th><strong>ISO 27001<\/strong><\/th><\/tr><\/thead><tbody><tr><td>CI\/CD role<\/td><td>Regulated ICT system<\/td><td>Supply chain component<\/td><td>Control mechanism<\/td><\/tr><tr><td>Manual deployments<\/td><td>Critical finding<\/td><td>Risk management gap<\/td><td>Control weakness<\/td><\/tr><tr><td>Approval traceability<\/td><td>Mandatory<\/td><td>Expected<\/td><td>Effectiveness indicator<\/td><\/tr><tr><td>Evidence model<\/td><td>Continuous<\/td><td>Proportional<\/td><td>ISMS-based<\/td><\/tr><tr><td>Audit strictness<\/td><td>Very high<\/td><td>High<\/td><td>Moderate<\/td><\/tr><\/tbody><\/table><\/figure>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>Practical Takeaways for Organizations<\/strong><\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong>DORA compliance requires \u201cpipeline-first\u201d governance<\/strong><\/li>\n\n\n\n<li><strong>NIS2 compliance requires CI\/CD to be in scope and risk-managed<\/strong><\/li>\n\n\n\n<li><strong>ISO 27001 compliance requires CI\/CD to prove controls work<\/strong><\/li>\n<\/ul>\n\n<p>Organizations subject to multiple frameworks should design <strong>DORA-grade CI\/CD pipelines<\/strong>, as they generally satisfy NIS2 and ISO 27001 expectations with minimal adaptation.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>How to Reduce CI\/CD Red Flags Across All Regulations<\/strong><\/h2>\n\n<p>The most effective strategies include:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>enforcing mandatory CI\/CD usage for production<\/li>\n\n\n\n<li>implementing non-bypassable approvals<\/li>\n\n\n\n<li>centralizing logs and evidence retention<\/li>\n\n\n\n<li>treating CI\/CD as a critical system, not a convenience<\/li>\n\n\n\n<li>aligning governance documentation with technical enforcement<\/li>\n<\/ul>\n\n<p>These measures significantly reduce audit pressure regardless of the regulatory framework.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n<p>CI\/CD red flags are not universal\u2014they are <strong>contextual to the regulation being applied<\/strong>. Understanding how auditors interpret CI\/CD pipelines under DORA, NIS2, and ISO 27001 allows organizations to anticipate findings and design more resilient, compliant delivery architectures.<\/p>\n\n<p>CI\/CD pipelines that enforce controls technically and generate continuous evidence are best positioned to pass audits across all regulatory frameworks.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\"><strong>Related Content<\/strong><\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/compliance\/ci-cd-audit-red-flags-what-immediately-raises-auditor-concerns\/\" data-type=\"post\" data-id=\"264\">CI\/CD Red Flags (Audit View)<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/ci-cd-security\/continuous-compliance-via-ci-cd-pipelines\/\" data-type=\"post\" data-id=\"334\">Continuous Compliance via CI\/CD<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/compliance\/how-auditors-actually-review-ci-cd-pipelines\/\" data-type=\"post\" data-id=\"261\">How Auditors Actually Review CI\/CD Pipelines<\/a><\/strong><\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n    <section class=\"rds-author-box rds-author-box--audit\"\r\n             dir=\"ltr\" lang=\"es\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">Contexto \u201caudit-ready\u201d<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Contenido pensado para entornos regulados: controles antes que herramientas, enforcement en CI\/CD y evidencia por dise\u00f1o para auditor\u00edas.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Enfoque en trazabilidad, aprobaciones, gobernanza de excepciones y retenci\u00f3n de evidencia de extremo a extremo.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/es\/es\/about\/\">Ver la metodolog\u00eda en la p\u00e1gina About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n","protected":false},"excerpt":{"rendered":"<p>C\u00f3mo los auditores de DORA, NIS2 e ISO 27001 interpretan las se\u00f1ales de alerta en CI\/CD de forma diferente, y por qu\u00e9 entender estas diferencias es esencial para el cumplimiento normativo.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[135,133,132],"tags":[],"post_folder":[],"class_list":["post-1937","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks-es","category-cross-regulation-comparisons-es","category-ci-cd-governance-es"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/posts\/1937","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/comments?post=1937"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/posts\/1937\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/media?parent=1937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/categories?post=1937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/tags?post=1937"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/post_folder?post=1937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}