{"id":1232,"date":"2026-02-12T19:07:49","date_gmt":"2026-02-12T18:07:49","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/ci-cd-article-28-red-flags-audit-checklist-2\/"},"modified":"2026-03-26T00:09:55","modified_gmt":"2026-03-25T23:09:55","slug":"ci-cd-article-28-red-flags-audit-checklist","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/ci-cd-article-28-red-flags-audit-checklist\/","title":{"rendered":"CI\/CD Article 28 : Signaux d&rsquo;alerte \u2014 Checklist d&rsquo;audit"},"content":{"rendered":"\n<p>Cette checklist met en \u00e9vidence les <strong>signaux d&rsquo;alerte courants li\u00e9s au CI\/CD au titre de DORA Article 28<\/strong>.<\/p>\n\n\n\n<p>Chaque \u00e9l\u00e9ment repr\u00e9sente une situation fr\u00e9quemment identifi\u00e9e lors d&rsquo;audits comme une <strong>d\u00e9faillance de risque ICT tiers<\/strong>.<\/p>\n\n\n\n<p>Si un ou plusieurs \u00e9l\u00e9ments s&rsquo;appliquent, les auditeurs peuvent classer la plateforme CI\/CD ou le fournisseur comme <strong>\u00e0 haut risque ou non conforme<\/strong>.<\/p>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n     viewBox=\"0 0 1200 560\"\n     role=\"img\"\n     aria-labelledby=\"title desc\"\n     data-theme=\"light\">\n  <title id=\"title\">CI\/CD Red Flags \u2014 DORA Article 28 (Third-Party Risk)<\/title>\n  <desc id=\"desc\">\n    Enterprise CI\/CD diagram highlighting common DORA Article 28 third-party risk red flags:\n    missing exit plan, shared runners, lack of sub-processor visibility, missing audit rights,\n    and missing evidence retention.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --accent:#2563eb;\n      --accentSoft:#dbeafe;\n\n      --warn:#b91c1c;\n      --warnSoft:#fee2e2;\n\n      --ok:#059669;\n      --okSoft:#d1fae5;\n\n      --band:#0ea5e9;\n      --bandSoft:#e0f2fe;\n    }\n    svg[data-theme=\"dark\"]{\n      --text:#e5e7eb;\n      --muted:#9ca3af;\n      --stroke:#374151;\n      --card:#0b1220;\n\n      --accent:#60a5fa;\n      --accentSoft:#0b2a55;\n\n      --warn:#f87171;\n      --warnSoft:#3a0b10;\n\n      --ok:#34d399;\n      --okSoft:#063a2c;\n\n      --band:#38bdf8;\n      --bandSoft:#083047;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:900;font-size:22px;fill:var(--text);}\n    .sub{font-weight:600;font-size:14px;fill:var(--muted);}\n\n    .label{font-weight:900;font-size:12px;fill:var(--text);letter-spacing:.06em;}\n    .h{font-weight:900;font-size:14px;fill:var(--text);}\n    .small{font-weight:700;font-size:12px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:14;}\n    .chip{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:7;}\n    .chipText{font-weight:900;font-size:12px;fill:var(--text);}\n\n    .flow{fill:none;stroke:var(--stroke);stroke-width:2.5;stroke-linecap:round;stroke-linejoin:round;}\n    .arrow{marker-end:url(#arrow);}\n\n    .band{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:14;stroke-dasharray:6 6;}\n    .bandTitle{font-weight:900;font-size:12px;fill:var(--muted);letter-spacing:.06em;}\n    .bandChip{fill:var(--bandSoft);stroke:var(--band);stroke-width:1.5;rx:7;}\n    .bandText{font-weight:900;font-size:12px;fill:var(--text);}\n\n    .rf .chip{stroke:var(--warn);fill:var(--warnSoft);}\n    .rftext{font-weight:900;font-size:12px;fill:var(--text);}\n\n    .ok .chip{stroke:var(--ok);fill:var(--okSoft);}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9.2\" refY=\"5\" markerWidth=\"7\" markerHeight=\"7\" orient=\"auto\">\n      <path d=\"M0 0 L10 5 L0 10 Z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"48\">CI\/CD Red Flags \u2014 DORA Article 28<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">Third-party risk failures auditors frequently flag in Git, CI\/CD SaaS, runners, registries, and cloud runtime.<\/text>\n\n  <!-- Cross-cutting band -->\n  <g transform=\"translate(40,92)\">\n    <rect class=\"band\" x=\"0\" y=\"0\" width=\"1120\" height=\"62\"\/>\n    <text class=\"txt bandTitle\" x=\"18\" y=\"36\">CROSS-CUTTING (ARTICLE 28)<\/text>\n\n    <g transform=\"translate(330,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"180\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"90\" y=\"20\" text-anchor=\"middle\">Supplier governance<\/text>\n    <\/g>\n    <g transform=\"translate(520,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"160\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"80\" y=\"20\" text-anchor=\"middle\">Audit rights<\/text>\n    <\/g>\n    <g transform=\"translate(690,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"150\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"75\" y=\"20\" text-anchor=\"middle\">Exit strategy<\/text>\n    <\/g>\n    <g transform=\"translate(850,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"220\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"110\" y=\"20\" text-anchor=\"middle\">Evidence retention<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Pipeline row cards -->\n  <g transform=\"translate(40,175)\">\n    <!-- Git -->\n    <g transform=\"translate(0,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">Git Hosting<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">GitHub \/ GitLab SaaS<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">Absence de droits d&rsquo;audit<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- CI\/CD SaaS -->\n    <g transform=\"translate(220,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">CI\/CD SaaS<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Orchestrator<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">Absence de plan de sortie<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Runners -->\n    <g transform=\"translate(440,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">CI Runners<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Cloud execution<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">Runners partag\u00e9s<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Registries -->\n    <g transform=\"translate(660,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">Registries<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Artifacts + images<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">No retention<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Cloud runtime -->\n    <g transform=\"translate(880,0)\">\n      <rect class=\"card\" width=\"220\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">Cloud Runtime<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Prod services<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"184\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"92\" y=\"20\" text-anchor=\"middle\">No sub-processor view<\/text>\n      <\/g>\n    <\/g>\n  <\/g>\n\n  <!-- Flow arrows between pipeline stages -->\n  <path class=\"flow arrow\" d=\"M 240 240 L 260 240\"\/>\n  <path class=\"flow arrow\" d=\"M 460 240 L 480 240\"\/>\n  <path class=\"flow arrow\" d=\"M 680 240 L 700 240\"\/>\n  <path class=\"flow arrow\" d=\"M 900 240 L 920 240\"\/>\n\n  <!-- Lower remediation hints -->\n  <g transform=\"translate(40,340)\">\n    <rect class=\"card\" width=\"1100\" height=\"170\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">ENGINEER REMEDIATION HINTS<\/text>\n\n    <g class=\"ok\" transform=\"translate(18,52)\">\n      <rect class=\"chip\" width=\"260\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"130\" y=\"20\" text-anchor=\"middle\">Tested exit strategy (CI\/CD)<\/text>\n    <\/g>\n    <g class=\"ok\" transform=\"translate(290,52)\">\n      <rect class=\"chip\" width=\"250\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"125\" y=\"20\" text-anchor=\"middle\">Dedicated \/ isolated runners<\/text>\n    <\/g>\n    <g class=\"ok\" transform=\"translate(550,52)\">\n      <rect class=\"chip\" width=\"270\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"135\" y=\"20\" text-anchor=\"middle\">Supplier + sub-processor map<\/text>\n    <\/g>\n    <g class=\"ok\" transform=\"translate(830,52)\">\n      <rect class=\"chip\" width=\"260\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"130\" y=\"20\" text-anchor=\"middle\">Centralized logs + retention<\/text>\n    <\/g>\n\n    <text class=\"txt small\" x=\"18\" y=\"110\">\n      Auditor rule: if controls cannot produce time-bound evidence on demand, they are treated as ineffective under Article 28.\n    <\/text>\n    <text class=\"txt small\" x=\"18\" y=\"136\">\n      Focus areas: CI\/CD platform scope, contractual auditability, runner isolation, sub-processor governance, and evidence retention.\n    <\/text>\n  <\/g>\n<\/svg>\n  <figcaption class=\"gp-rds-caption\">\n    Enterprise CI\/CD diagram highlighting common DORA Article 28 third-party risk red flags:\n    missing exit plan, shared runners, lack of sub-processor visibility, missing audit rights,\n    and missing evidence retention.\n<\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Checklist des signaux d&rsquo;alerte tiers CI\/CD (Revue rapide)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Gouvernance et strat\u00e9gie de sortie<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2b1c Aucun <strong>plan de sortie<\/strong> document\u00e9 pour les plateformes CI\/CD SaaS<\/li>\n\n\n\n<li>\u2b1c Le plan de sortie existe mais <strong>n&rsquo;a jamais \u00e9t\u00e9 test\u00e9 techniquement<\/strong><\/li>\n\n\n\n<li>\u2b1c Aucune capacit\u00e9 d&rsquo;exporter les logs et artefacts CI\/CD historiques<\/li>\n\n\n\n<li>\u2b1c Les pipelines ne peuvent pas \u00eatre red\u00e9ploy\u00e9s sur une plateforme alternative<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Infrastructure CI\/CD et isolation<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2b1c Les t\u00e2ches CI s&rsquo;ex\u00e9cutent sur des <strong>runners partag\u00e9s ou mutualis\u00e9s<\/strong> sans garanties claires d&rsquo;isolation<\/li>\n\n\n\n<li>\u2b1c Les m\u00e9canismes d&rsquo;isolation des runners sont non document\u00e9s ou inconnus<\/li>\n\n\n\n<li>\u2b1c L&rsquo;environnement d&rsquo;ex\u00e9cution CI est enti\u00e8rement contr\u00f4l\u00e9 par le fournisseur<\/li>\n\n\n\n<li>\u2b1c Les secrets sont expos\u00e9s \u00e0 des contextes d&rsquo;ex\u00e9cution tiers<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Visibilit\u00e9 sur les fournisseurs et sous-traitants<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2b1c Le fournisseur CI\/CD SaaS <strong>n&rsquo;est pas r\u00e9pertori\u00e9<\/strong> dans l&rsquo;inventaire des tiers ICT<\/li>\n\n\n\n<li>\u2b1c Les sous-traitants (cloud, runners, registres) ne sont <strong>pas identifi\u00e9s<\/strong><\/li>\n\n\n\n<li>\u2b1c Aucune classification des risques pour les tiers li\u00e9s au CI\/CD<\/li>\n\n\n\n<li>\u2b1c La criticit\u00e9 du fournisseur n&rsquo;influence pas les contr\u00f4les appliqu\u00e9s<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Contr\u00f4les contractuels et juridiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2b1c Les contrats CI\/CD <strong>n&rsquo;incluent pas de droits d&rsquo;audit ou d&rsquo;inspection<\/strong><\/li>\n\n\n\n<li>\u2b1c Les droits d&rsquo;audit existent mais ne sont <strong>pas pratiquement applicables<\/strong><\/li>\n\n\n\n<li>\u2b1c Aucun SLA contractuel de notification d&rsquo;incident<\/li>\n\n\n\n<li>\u2b1c Les clauses de sortie et de r\u00e9siliation sont absentes ou floues<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Preuves et auditabilit\u00e9<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2b1c Les logs CI\/CD sont conserv\u00e9s pendant une <strong>p\u00e9riode courte ou ind\u00e9finie<\/strong><\/li>\n\n\n\n<li>\u2b1c Les enregistrements d&rsquo;approbation et de modification ne sont pas tra\u00e7ables<\/li>\n\n\n\n<li>\u2b1c Les m\u00e9tadonn\u00e9es et la provenance des artefacts sont absentes<\/li>\n\n\n\n<li>\u2b1c Les preuves sont collect\u00e9es manuellement uniquement lors des audits<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Gouvernance CI\/CD et application des politiques<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2b1c Aucune porte d&rsquo;approbation pour les modifications de pipeline<\/li>\n\n\n\n<li>\u2b1c Utilisation non restreinte des plugins ou actions de la marketplace<\/li>\n\n\n\n<li>\u2b1c Aucun verrouillage de version ni revue des composants CI\/CD tiers<\/li>\n\n\n\n<li>\u2b1c Les contr\u00f4les varient entre les pipelines sans justification<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Checklist type auditeur (Oui \/ Non)<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Point de contr\u00f4le<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Oui<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>Non<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Les plateformes CI\/CD sont incluses dans l&rsquo;inventaire des tiers ICT<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les fournisseurs CI\/CD sont classifi\u00e9s par risque<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les strat\u00e9gies de sortie existent et sont techniquement r\u00e9alisables<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les runners CI sont isol\u00e9s et contr\u00f4l\u00e9s<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les sous-traitants sont identifi\u00e9s et gouvern\u00e9s<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les droits d&rsquo;audit sont d\u00e9finis contractuellement<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les SLA de notification d&rsquo;incident sont en place<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les logs CI\/CD sont conserv\u00e9s et prot\u00e9g\u00e9s<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les approbations et portes de politique sont appliqu\u00e9es<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><tr><td>Les preuves peuvent \u00eatre produites \u00e0 la demande<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2b1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Signaux d&rsquo;alerte expliqu\u00e9s (Interpr\u00e9tation d&rsquo;audit)<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Signal d&rsquo;alerte<\/strong><\/th><th><strong>Pourquoi les auditeurs s&rsquo;en soucient<\/strong><\/th><th><strong>Contr\u00f4le attendu<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Absence de plan de sortie<\/td><td>Risque de verrouillage fournisseur<\/td><td>Strat\u00e9gie de sortie technique test\u00e9e<\/td><\/tr><tr><td>Runners partag\u00e9s<\/td><td>Risque de confidentialit\u00e9 et d&rsquo;int\u00e9grit\u00e9<\/td><td>Runners isol\u00e9s ou d\u00e9di\u00e9s<\/td><\/tr><tr><td>Absence de visibilit\u00e9 sur les sous-traitants<\/td><td>Exposition au risque cach\u00e9e<\/td><td>Cartographie compl\u00e8te de la cha\u00eene d&rsquo;approvisionnement<\/td><\/tr><tr><td>Absence de droits d&rsquo;audit<\/td><td>Aucune v\u00e9rification ind\u00e9pendante<\/td><td>Clauses d&rsquo;audit applicables<\/td><\/tr><tr><td>Absence de conservation des preuves<\/td><td>Les contr\u00f4les ne peuvent pas \u00eatre prouv\u00e9s<\/td><td>Conservation automatis\u00e9e des logs<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Comment les auditeurs utilisent cette checklist<\/strong><\/h2>\n\n\n\n<p>Les auditeurs ne s&rsquo;attendent <strong>pas \u00e0 un risque nul<\/strong>.<\/p>\n\n\n\n<p>Ils s&rsquo;attendent \u00e0 ce que :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>les risques soient <strong>identifi\u00e9s<\/strong>,<\/li>\n\n\n\n<li>les contr\u00f4les soient <strong>appliqu\u00e9s<\/strong>,<\/li>\n\n\n\n<li>les preuves soient <strong>disponibles et coh\u00e9rentes<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>Plusieurs \u00e9l\u00e9ments non coch\u00e9s dans la m\u00eame cat\u00e9gorie entra\u00eenent souvent :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>une classification \u00e0 haut risque,<\/li>\n\n\n\n<li>des plans de rem\u00e9diation,<\/li>\n\n\n\n<li>des audits de suivi.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Comment utiliser cette checklist en interne<\/strong><\/h2>\n\n\n\n<p>Utilisation recommand\u00e9e :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>l&rsquo;ex\u00e9cuter <strong>avant un audit<\/strong>,<\/li>\n\n\n\n<li>l&rsquo;ex\u00e9cuter <strong>apr\u00e8s l&rsquo;int\u00e9gration d&rsquo;un nouveau fournisseur CI\/CD<\/strong>,<\/li>\n\n\n\n<li>l&rsquo;inclure dans les <strong>revues des risques tiers<\/strong>,<\/li>\n\n\n\n<li>la relier \u00e0 votre <strong>Checklist de s\u00e9curit\u00e9 CI\/CD<\/strong> et \u00e0 votre <strong>Pack de preuves<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Contenu associ\u00e9<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/third-party-risk-in-ci-cd-pipelines-under-dora-article-28\/\" data-type=\"post\" data-id=\"368\">Third-Party Risk in CI\/CD Pipelines under DORA Article 28<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/compliance\/dora-article-28-evidence-pack-what-to-show-auditors\/\" data-type=\"post\" data-id=\"347\">DORA Article 28 Evidence Pack \u2014 What to Show Auditors<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/compliance\/dora-article-28-architecture-third-party-risk-controls-across-ci-cd-pipelines\/\" data-type=\"post\" data-id=\"364\">DORA Article 28 Architecture \u2014 Explained<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/ci-cd-security-checklist-for-enterprises\/\" data-type=\"post\" data-id=\"32\">CI\/CD Security Checklist for Enterprises<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n    <section class=\"rds-author-box rds-author-box--audit\"\r\n             dir=\"ltr\" lang=\"fr\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">Contexte \u201caudit-ready\u201d<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Contenu con\u00e7u pour les environnements r\u00e9glement\u00e9s : contr\u00f4les avant outils, enforcement par politiques dans le CI\/CD, et evidence-by-design pour l\u2019audit.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Focus sur la tra\u00e7abilit\u00e9, les approbations, la gouvernance des exceptions et la r\u00e9tention des preuves de bout en bout.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/fr\/fr\/about\/\">Voir la m\u00e9thodologie sur la page About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cette checklist met en \u00e9vidence les signaux d&rsquo;alerte courants li\u00e9s au CI\/CD au titre de DORA Article 28. Chaque \u00e9l\u00e9ment repr\u00e9sente une situation fr\u00e9quemment identifi\u00e9e lors d&rsquo;audits comme une d\u00e9faillance de risque ICT tiers. Si un ou plusieurs \u00e9l\u00e9ments s&rsquo;appliquent, les auditeurs peuvent classer la plateforme CI\/CD ou le fournisseur comme \u00e0 haut risque ou &#8230; <a title=\"CI\/CD Article 28 : Signaux d&rsquo;alerte \u2014 Checklist d&rsquo;audit\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/ci-cd-article-28-red-flags-audit-checklist\/\" aria-label=\"En savoir plus sur CI\/CD Article 28 : Signaux d&rsquo;alerte \u2014 Checklist d&rsquo;audit\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126,122,123],"tags":[],"post_folder":[],"class_list":["post-1232","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks","category-audit-evidence","category-ci-cd-governance"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1232"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1232\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/categories?post=1232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/tags?post=1232"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/post_folder?post=1232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}