{"id":1411,"date":"2026-02-11T18:03:46","date_gmt":"2026-02-11T17:03:46","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/third-party-risk-in-ci-cd-pipelines-under-dora-article-28-2\/"},"modified":"2026-03-26T00:22:01","modified_gmt":"2026-03-25T23:22:01","slug":"third-party-risk-in-ci-cd-pipelines-under-dora-article-28","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/third-party-risk-in-ci-cd-pipelines-under-dora-article-28\/","title":{"rendered":"Risque tiers dans les pipelines CI\/CD sous DORA Article 28"},"content":{"rendered":"\n<p>DORA Article 28 exige des entit\u00e9s financi\u00e8res qu&rsquo;elles g\u00e8rent les risques introduits par les <strong>fournisseurs de services ICT tiers<\/strong>.<\/p>\n\n\n\n<p>Dans la livraison logicielle moderne, les pipelines CI\/CD figurent parmi les <strong>syst\u00e8mes les plus d\u00e9pendants de tiers<\/strong> de l&rsquo;organisation.<\/p>\n\n\n\n<p>Les plateformes Git, les runners CI, les plugins et les registres d&rsquo;artefacts ne sont pas de simples choix d&rsquo;outils \u2014 ce sont des <strong>services externes int\u00e9gr\u00e9s<\/strong> qui influencent directement l&rsquo;int\u00e9grit\u00e9 logicielle, la disponibilit\u00e9 et la r\u00e9silience op\u00e9rationnelle.<\/p>\n\n\n\n<p>Cet article se concentre sp\u00e9cifiquement sur le <strong>risque tiers au sein des pipelines CI\/CD<\/strong>, expliquant o\u00f9 ces risques surviennent, comment DORA Article 28 s&rsquo;applique, et quels contr\u00f4les les auditeurs s&rsquo;attendent \u00e0 voir appliqu\u00e9s.<\/p>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n     viewBox=\"0 0 1200 520\"\n     role=\"img\"\n     aria-labelledby=\"title desc\"\n     data-theme=\"light\">\n  <title id=\"title\">DORA Article 28 \u2014 Tools \u2192 Controls \u2192 Evidence<\/title>\n  <desc id=\"desc\">\n    Diagramme liant les outils DevSecOps d&rsquo;entreprise aux contr\u00f4les CI\/CD applicables et aux preuves d&rsquo;audit r\u00e9sultantes,\n    avec les exigences transversales de gouvernance tierce DORA Article 28.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --accent:#2563eb;\n      --accentSoft:#dbeafe;\n\n      --sec:#7c3aed;\n      --secSoft:#ede9fe;\n\n      --ev:#059669;\n      --evSoft:#d1fae5;\n\n      --warn:#b45309;\n      --warnSoft:#ffedd5;\n    }\n\n    svg[data-theme=\"dark\"]{\n      --text:#e5e7eb;\n      --muted:#9ca3af;\n      --stroke:#374151;\n      --card:#0b1220;\n\n      --accent:#60a5fa;\n      --accentSoft:#0b2a55;\n\n      --sec:#a78bfa;\n      --secSoft:#2a144d;\n\n      --ev:#34d399;\n      --evSoft:#063a2c;\n\n      --warn:#f59e0b;\n      --warnSoft:#3b2a07;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:800;font-size:22px;fill:var(--text);}\n    .sub{font-weight:500;font-size:14px;fill:var(--muted);}\n\n    .label{font-weight:900;font-size:12px;fill:var(--text);letter-spacing:.06em;}\n    .h{font-weight:800;font-size:14px;fill:var(--text);}\n    .small{font-weight:600;font-size:12px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:14;}\n    .panel{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:14;stroke-dasharray:6 6;}\n\n    .chip{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:7;}\n    .chipText{font-weight:800;font-size:12px;fill:var(--text);}\n\n    .tools .chip{stroke:var(--accent);fill:var(--accentSoft);}\n    .controls .chip{stroke:var(--sec);fill:var(--secSoft);}\n    .evidence .chip{stroke:var(--ev);fill:var(--evSoft);}\n    .warn .chip{stroke:var(--warn);fill:var(--warnSoft);}\n\n    .flow{fill:none;stroke:var(--stroke);stroke-width:2.5;stroke-linecap:round;stroke-linejoin:round;}\n    .arrow{marker-end:url(#arrow);}\n    .link{fill:none;stroke:var(--accent);stroke-width:2.5;stroke-linecap:round;stroke-dasharray:7 7;opacity:.85;}\n\n    .band{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:14;stroke-dasharray:6 6;}\n    .bandTitle{font-weight:900;font-size:12px;fill:var(--muted);letter-spacing:.06em;}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9.2\" refY=\"5\" markerWidth=\"7\" markerHeight=\"7\" orient=\"auto\">\n      <path d=\"M0 0 L10 5 L0 10 Z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"48\">Tools \u2192 Controls \u2192 Evidence<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">Vue DORA Article 28 : gouvernance ICT tierce appliqu\u00e9e via les contr\u00f4les CI\/CD et les preuves d\u00e9montrables.<\/text>\n\n  <!-- Cross-cutting controls band -->\n  <g transform=\"translate(40,92)\">\n    <rect class=\"band\" x=\"0\" y=\"0\" width=\"1120\" height=\"62\"\/>\n    <text class=\"txt bandTitle\" x=\"18\" y=\"36\">TRANSVERSAL (ARTICLE 28)<\/text>\n\n    <g class=\"warn\" transform=\"translate(320,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"170\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"85\" y=\"20\" text-anchor=\"middle\">Gouvernance fournisseurs<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(500,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"150\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"75\" y=\"20\" text-anchor=\"middle\">Clauses contractuelles<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(660,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"120\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"60\" y=\"20\" text-anchor=\"middle\">Monitoring<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(790,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"110\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"55\" y=\"20\" text-anchor=\"middle\">Sortie plan<\/text>\n    <\/g>\n\n    <g class=\"warn\" transform=\"translate(910,16)\">\n      <rect class=\"chip\" x=\"0\" y=\"0\" width=\"190\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"95\" y=\"20\" text-anchor=\"middle\">Evidence retention<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Main panels -->\n  <g transform=\"translate(40,160)\">\n    <rect class=\"panel\" x=\"0\" y=\"0\" width=\"1120\" height=\"300\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">MAPPING LAYER<\/text>\n  <\/g>\n\n  <!-- Column titles -->\n  <text class=\"txt h\" x=\"120\" y=\"210\">Tools<\/text>\n  <text class=\"txt small\" x=\"120\" y=\"232\">Platforms &amp; services<\/text>\n\n  <text class=\"txt h\" x=\"520\" y=\"210\">Controls<\/text>\n  <text class=\"txt small\" x=\"520\" y=\"232\">Enforced requirements<\/text>\n\n  <text class=\"txt h\" x=\"900\" y=\"210\">Evidence<\/text>\n  <text class=\"txt small\" x=\"900\" y=\"232\">What auditors verify<\/text>\n\n  <!-- Tools cards -->\n  <g transform=\"translate(80,250)\" class=\"tools\">\n    <rect class=\"card\" width=\"300\" height=\"190\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">TOOLS<\/text>\n\n    <g transform=\"translate(18,48)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Git \/ Source Hosting<\/text>\n    <\/g>\n    <g transform=\"translate(18,84)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">CI\/CD Orchestrator + Runners<\/text>\n    <\/g>\n    <g transform=\"translate(18,120)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Registries + D\u00e9pendances<\/text>\n    <\/g>\n    <g transform=\"translate(18,156)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Cloud Runtime + Observability<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Controls cards -->\n  <g transform=\"translate(450,250)\" class=\"controls\">\n    <rect class=\"card\" width=\"320\" height=\"190\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">CONTROLS<\/text>\n\n    <g transform=\"translate(18,48)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Access control + MFA + SoD<\/text>\n    <\/g>\n    <g transform=\"translate(18,84)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Approvals + policy gates<\/text>\n    <\/g>\n    <g transform=\"translate(18,120)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Integrity: SBOM + signing + provenance<\/text>\n    <\/g>\n    <g transform=\"translate(18,156)\">\n      <rect class=\"chip\" width=\"284\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"142\" y=\"20\" text-anchor=\"middle\">Monitoring + incident workflows<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Evidence cards -->\n  <g transform=\"translate(820,250)\" class=\"evidence\">\n    <rect class=\"card\" width=\"300\" height=\"190\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">EVIDENCE<\/text>\n\n    <g transform=\"translate(18,48)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Audit logs + access reviews<\/text>\n    <\/g>\n    <g transform=\"translate(18,84)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Approvals &amp; change traceability<\/text>\n    <\/g>\n    <g transform=\"translate(18,120)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">SBOM + attestations + signatures<\/text>\n    <\/g>\n    <g transform=\"translate(18,156)\">\n      <rect class=\"chip\" width=\"264\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"132\" y=\"20\" text-anchor=\"middle\">Monitoring data + incident records<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Main flow arrows -->\n  <path class=\"flow arrow\" d=\"M 380 360 L 450 360\"\/>\n  <path class=\"flow arrow\" d=\"M 770 360 L 820 360\"\/>\n\n  <!-- Dotted alignment links (tool -> control -> evidence rows) -->\n  <!-- Row 1 -->\n  <path class=\"link\" d=\"M 360 313 L 470 313\"\/>\n  <path class=\"link\" d=\"M 750 313 L 840 313\"\/>\n  <!-- Row 2 -->\n  <path class=\"link\" d=\"M 360 349 L 470 349\"\/>\n  <path class=\"link\" d=\"M 750 349 L 840 349\"\/>\n  <!-- Row 3 -->\n  <path class=\"link\" d=\"M 360 385 L 470 385\"\/>\n  <path class=\"link\" d=\"M 750 385 L 840 385\"\/>\n  <!-- Row 4 -->\n  <path class=\"link\" d=\"M 360 421 L 470 421\"\/>\n  <path class=\"link\" d=\"M 750 421 L 840 421\"\/>\n\n  <!-- Footer note -->\n  <text class=\"txt small\" x=\"60\" y=\"500\">\n    Tip: Under DORA Article 28, tools are acceptable only if they enforce controls and continuously produce auditable evidence.\n  <\/text>\n<\/svg>\n\n  <figcaption class=\"gp-rds-caption\">\n    Diagramme liant les outils DevSecOps d&rsquo;entreprise aux contr\u00f4les CI\/CD applicables et aux preuves d&rsquo;audit r\u00e9sultantes,\n    avec les exigences transversales de gouvernance tierce DORA Article 28.\n<\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why CI\/CD Pipelines Are a Third-Party Risk Concentration Point<\/strong><\/h2>\n\n\n\n<p>CI\/CD pipelines aggregate multiple external dependencies into a single execution flow:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>source code is hosted externally,<\/li>\n\n\n\n<li>builds often run on shared or managed infrastructure,<\/li>\n\n\n\n<li>third-party code is pulled automatically,<\/li>\n\n\n\n<li>artifacts are stored and distributed by external services.<\/li>\n<\/ul>\n\n\n\n<p>From a DORA perspective, CI\/CD pipelines represent:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>high-impact ICT dependencies<\/strong>,<\/li>\n\n\n\n<li>with <strong>privileged access<\/strong>,<\/li>\n\n\n\n<li>operating at <strong>machine speed<\/strong>,<\/li>\n\n\n\n<li>and capable of propagating failures or compromises directly into production.<\/li>\n<\/ul>\n\n\n\n<p>As a result, CI\/CD platforms must be treated as <strong>in-scope ICT third-party services<\/strong> under Article 28.<\/p>\n\n\n\n<!-- GeneratePress Inline SVG \u2013 Regulated DevSecOps -->\n<figure class=\"gp-rds-diagram\">\n<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n     viewBox=\"0 0 1200 560\"\n     role=\"img\"\n     aria-labelledby=\"title desc\"\n     data-theme=\"light\">\n  <title id=\"title_2\">CI\/CD Red Flags \u2014 DORA Article 28 (Third-Party Risk)<\/title>\n  <desc id=\"desc_2\">\n    Enterprise CI\/CD diagram highlighting common DORA Article 28 third-party risk red flags:\n    missing exit plan, shared runners, lack of sub-processor visibility, missing audit rights,\n    and missing evidence retention.\n  <\/desc>\n\n  <style>\n    :root{\n      --bg:transparent;\n      --text:#0f172a;\n      --muted:#475569;\n      --stroke:#cbd5e1;\n      --card:#ffffff;\n\n      --accent:#2563eb;\n      --accentSoft:#dbeafe;\n\n      --warn:#b91c1c;\n      --warnSoft:#fee2e2;\n\n      --ok:#059669;\n      --okSoft:#d1fae5;\n\n      --band:#0ea5e9;\n      --bandSoft:#e0f2fe;\n    }\n    svg[data-theme=\"dark\"]{\n      --text:#e5e7eb;\n      --muted:#9ca3af;\n      --stroke:#374151;\n      --card:#0b1220;\n\n      --accent:#60a5fa;\n      --accentSoft:#0b2a55;\n\n      --warn:#f87171;\n      --warnSoft:#3a0b10;\n\n      --ok:#34d399;\n      --okSoft:#063a2c;\n\n      --band:#38bdf8;\n      --bandSoft:#083047;\n    }\n\n    .txt{font-family:ui-sans-serif,system-ui,-apple-system,Segoe UI,Roboto,Arial;}\n    .title{font-weight:900;font-size:22px;fill:var(--text);}\n    .sub{font-weight:600;font-size:14px;fill:var(--muted);}\n\n    .label{font-weight:900;font-size:12px;fill:var(--text);letter-spacing:.06em;}\n    .h{font-weight:900;font-size:14px;fill:var(--text);}\n    .small{font-weight:700;font-size:12px;fill:var(--muted);}\n\n    .card{fill:var(--card);stroke:var(--stroke);stroke-width:1.5;rx:14;}\n    .chip{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:7;}\n    .chipText{font-weight:900;font-size:12px;fill:var(--text);}\n\n    .flow{fill:none;stroke:var(--stroke);stroke-width:2.5;stroke-linecap:round;stroke-linejoin:round;}\n    .arrow{marker-end:url(#arrow);}\n\n    .band{fill:transparent;stroke:var(--stroke);stroke-width:1.5;rx:14;stroke-dasharray:6 6;}\n    .bandTitle{font-weight:900;font-size:12px;fill:var(--muted);letter-spacing:.06em;}\n    .bandChip{fill:var(--bandSoft);stroke:var(--band);stroke-width:1.5;rx:7;}\n    .bandText{font-weight:900;font-size:12px;fill:var(--text);}\n\n    .rf .chip{stroke:var(--warn);fill:var(--warnSoft);}\n    .rftext{font-weight:900;font-size:12px;fill:var(--text);}\n\n    .ok .chip{stroke:var(--ok);fill:var(--okSoft);}\n  <\/style>\n\n  <defs>\n    <marker id=\"arrow\" viewBox=\"0 0 10 10\" refX=\"9.2\" refY=\"5\" markerWidth=\"7\" markerHeight=\"7\" orient=\"auto\">\n      <path d=\"M0 0 L10 5 L0 10 Z\" fill=\"var(--stroke)\"\/>\n    <\/marker>\n  <\/defs>\n\n  <!-- Header -->\n  <text class=\"txt title\" x=\"40\" y=\"48\">CI\/CD Red Flags \u2014 DORA Article 28<\/text>\n  <text class=\"txt sub\" x=\"40\" y=\"74\">Third-party risk failures auditors frequently flag in Git, CI\/CD SaaS, runners, registries, and cloud runtime.<\/text>\n\n  <!-- Cross-cutting band -->\n  <g transform=\"translate(40,92)\">\n    <rect class=\"band\" x=\"0\" y=\"0\" width=\"1120\" height=\"62\"\/>\n    <text class=\"txt bandTitle\" x=\"18\" y=\"36\">TRANSVERSAL (ARTICLE 28)<\/text>\n\n    <g transform=\"translate(330,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"180\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"90\" y=\"20\" text-anchor=\"middle\">Gouvernance fournisseurs<\/text>\n    <\/g>\n    <g transform=\"translate(520,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"160\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"80\" y=\"20\" text-anchor=\"middle\">Audit rights<\/text>\n    <\/g>\n    <g transform=\"translate(690,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"150\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"75\" y=\"20\" text-anchor=\"middle\">Sortie strategy<\/text>\n    <\/g>\n    <g transform=\"translate(850,16)\">\n      <rect class=\"bandChip\" x=\"0\" y=\"0\" width=\"220\" height=\"30\"\/>\n      <text class=\"txt bandText\" x=\"110\" y=\"20\" text-anchor=\"middle\">Evidence retention<\/text>\n    <\/g>\n  <\/g>\n\n  <!-- Pipeline row cards -->\n  <g transform=\"translate(40,175)\">\n    <!-- Git -->\n    <g transform=\"translate(0,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">Git Hosting<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">GitHub \/ GitLab SaaS<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">No audit rights<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- CI\/CD SaaS -->\n    <g transform=\"translate(220,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">CI\/CD SaaS<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Orchestrator<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">No exit plan<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Runners -->\n    <g transform=\"translate(440,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">CI Runners<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Cloud execution<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">Shared runners<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Registries -->\n    <g transform=\"translate(660,0)\">\n      <rect class=\"card\" width=\"200\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">Registries<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Artifacts + images<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"164\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"82\" y=\"20\" text-anchor=\"middle\">No retention<\/text>\n      <\/g>\n    <\/g>\n\n    <!-- Runtime cloud -->\n    <g transform=\"translate(880,0)\">\n      <rect class=\"card\" width=\"220\" height=\"130\"\/>\n      <text class=\"txt h\" x=\"18\" y=\"32\">Cloud Runtime<\/text>\n      <text class=\"txt small\" x=\"18\" y=\"54\">Prod services<\/text>\n      <g class=\"rf\" transform=\"translate(18,74)\">\n        <rect class=\"chip\" width=\"184\" height=\"30\"\/>\n        <text class=\"txt rftext\" x=\"92\" y=\"20\" text-anchor=\"middle\">No sub-processor view<\/text>\n      <\/g>\n    <\/g>\n  <\/g>\n\n  <!-- Flow arrows between pipeline stages -->\n  <path class=\"flow arrow\" d=\"M 240 240 L 260 240\"\/>\n  <path class=\"flow arrow\" d=\"M 460 240 L 480 240\"\/>\n  <path class=\"flow arrow\" d=\"M 680 240 L 700 240\"\/>\n  <path class=\"flow arrow\" d=\"M 900 240 L 920 240\"\/>\n\n  <!-- Lower remediation hints -->\n  <g transform=\"translate(40,340)\">\n    <rect class=\"card\" width=\"1100\" height=\"170\"\/>\n    <text class=\"txt label\" x=\"18\" y=\"28\">ENGINEER REMEDIATION HINTS<\/text>\n\n    <g class=\"ok\" transform=\"translate(18,52)\">\n      <rect class=\"chip\" width=\"260\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"130\" y=\"20\" text-anchor=\"middle\">Tested exit strategy (CI\/CD)<\/text>\n    <\/g>\n    <g class=\"ok\" transform=\"translate(290,52)\">\n      <rect class=\"chip\" width=\"250\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"125\" y=\"20\" text-anchor=\"middle\">Dedicated \/ isolated runners<\/text>\n    <\/g>\n    <g class=\"ok\" transform=\"translate(550,52)\">\n      <rect class=\"chip\" width=\"270\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"135\" y=\"20\" text-anchor=\"middle\">Supplier + sub-processor map<\/text>\n    <\/g>\n    <g class=\"ok\" transform=\"translate(830,52)\">\n      <rect class=\"chip\" width=\"260\" height=\"30\"\/>\n      <text class=\"txt chipText\" x=\"130\" y=\"20\" text-anchor=\"middle\">Centralized logs + retention<\/text>\n    <\/g>\n\n    <text class=\"txt small\" x=\"18\" y=\"110\">\n      Auditor rule: if controls cannot produce time-bound evidence on demand, they are treated as ineffective under Article 28.\n    <\/text>\n    <text class=\"txt small\" x=\"18\" y=\"136\">\n      Focus areas: CI\/CD platform scope, contractual auditability, runner isolation, sub-processor governance, and evidence retention.\n    <\/text>\n  <\/g>\n<\/svg>\n  <figcaption class=\"gp-rds-caption\">\n    Enterprise CI\/CD diagram highlighting common DORA Article 28 third-party risk red flags:\n    missing exit plan, shared runners, lack of sub-processor visibility, missing audit rights,\n    and missing evidence retention.\n<\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>GitHub \/ GitLab SaaS as ICT Third-Party Providers<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Risk exposure<\/strong><\/h3>\n\n\n\n<p>GitHub and GitLab SaaS platforms control:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>access to source code,<\/li>\n\n\n\n<li>change approval workflows,<\/li>\n\n\n\n<li>identity and permission enforcement.<\/li>\n<\/ul>\n\n\n\n<p>Compromise or misconfiguration can lead to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>unauthorized code changes,<\/li>\n\n\n\n<li>bypassed approvals,<\/li>\n\n\n\n<li>loss of traceability.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Article 28 expectations<\/strong><\/h3>\n\n\n\n<p>Auditors expect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Git hosting platforms listed in the <strong>third-party inventory<\/strong>,<\/li>\n\n\n\n<li>clear risk classification (often <em>critical<\/em>),<\/li>\n\n\n\n<li>enforcement of segregation of duties,<\/li>\n\n\n\n<li>evidence of access control and approvals.<\/li>\n<\/ul>\n\n\n\n<p>Access logs, pull request approvals, and branch protection settings are treated as <strong>audit evidence<\/strong>, not operational details.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Cloud-Based CI Runners<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Risk exposure<\/strong><\/h3>\n\n\n\n<p>Managed or cloud-hosted CI runners:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>execute untrusted code,<\/li>\n\n\n\n<li>access secrets and credentials,<\/li>\n\n\n\n<li>interact with internal and external systems.<\/li>\n<\/ul>\n\n\n\n<p>They often run on <strong>shared infrastructure<\/strong>, increasing exposure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Article 28 expectations<\/strong><\/h3>\n\n\n\n<p>Under Article 28, organizations must demonstrate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>isolation between runners,<\/li>\n\n\n\n<li>controlled access to secrets,<\/li>\n\n\n\n<li>monitoring of execution environments,<\/li>\n\n\n\n<li>ability to restrict or revoke runner access.<\/li>\n<\/ul>\n\n\n\n<p>Auditors frequently ask:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWho controls the execution environment where your code is built?\u201d<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Marketplace Actions and Plugins<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Risk exposure<\/strong><\/h3>\n\n\n\n<p>CI\/CD marketplaces introduce <strong>unvetted third-party code<\/strong> directly into pipelines.<\/p>\n\n\n\n<p>Risks include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>supply chain attacks,<\/li>\n\n\n\n<li>malicious updates,<\/li>\n\n\n\n<li>lack of version control,<\/li>\n\n\n\n<li>unclear ownership.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Article 28 expectations<\/strong><\/h3>\n\n\n\n<p>Auditors expect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>governance over which plugins are allowed,<\/li>\n\n\n\n<li>risk assessment for critical actions,<\/li>\n\n\n\n<li>version pinning and review processes,<\/li>\n\n\n\n<li>monitoring of changes over time.<\/li>\n<\/ul>\n\n\n\n<p>Unrestricted marketplace usage is often flagged as a <strong>major Article 28 weakness<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Artifact Registries<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Risk exposure<\/strong><\/h3>\n\n\n\n<p>Registres d&rsquo;artefacts store and distribute:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>build outputs,<\/li>\n\n\n\n<li>container images,<\/li>\n\n\n\n<li>internal libraries.<\/li>\n<\/ul>\n\n\n\n<p>If compromised, they can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>propagate malicious artifacts,<\/li>\n\n\n\n<li>break deployment integrity,<\/li>\n\n\n\n<li>affect multiple systems simultaneously.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Article 28 expectations<\/strong><\/h3>\n\n\n\n<p>Auditors expect controls covering:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>access restrictions,<\/li>\n\n\n\n<li>immutability policies,<\/li>\n\n\n\n<li>artifact signing and verification,<\/li>\n\n\n\n<li>retention of artifact metadata.<\/li>\n<\/ul>\n\n\n\n<p>Registres d&rsquo;artefacts are treated as <strong>core supply chain components<\/strong>, not passive storage.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Dependency Proxies and External Repositories<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Risk exposure<\/strong><\/h3>\n\n\n\n<p>Dependency proxies and external repositories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pull code from outside the organization,<\/li>\n\n\n\n<li>introduce indirect third-party dependencies,<\/li>\n\n\n\n<li>may change content without notice.<\/li>\n<\/ul>\n\n\n\n<p>This creates <strong>hidden third-party exposure<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Article 28 expectations<\/strong><\/h3>\n\n\n\n<p>Auditors expect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>visibility into dependency sources,<\/li>\n\n\n\n<li>controls to restrict or cache external dependencies,<\/li>\n\n\n\n<li>traceability linking dependencies to builds,<\/li>\n\n\n\n<li>monitoring of dependency changes.<\/li>\n<\/ul>\n\n\n\n<p>SBOMs and dependency logs are often reviewed as <strong>Article 28 evidence<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Core CI\/CD Controls Expected Under Article 28<\/strong><\/h2>\n\n\n\n<p>Across all CI\/CD-related third-party services, auditors expect to see:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>explicit inclusion in third-party inventories,<\/li>\n\n\n\n<li>risk-based classification and governance,<\/li>\n\n\n\n<li>access isolation and least privilege,<\/li>\n\n\n\n<li>enforceable policies (approvals, gates),<\/li>\n\n\n\n<li>continuous monitoring,<\/li>\n\n\n\n<li>automated evidence generation.<\/li>\n<\/ul>\n\n\n\n<p>CI\/CD pipelines should enforce these controls <strong>by design<\/strong>, not via manual procedures.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Evidence Auditors Commonly Request<\/strong><\/h2>\n\n\n\n<p>For CI\/CD third-party risk, auditors frequently request:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>access logs from Git platforms,<\/li>\n\n\n\n<li>CI execution logs and runner metadata,<\/li>\n\n\n\n<li>approval records and policy gate results,<\/li>\n\n\n\n<li>artifact signing and provenance data,<\/li>\n\n\n\n<li>monitoring alerts involving CI\/CD services.<\/li>\n<\/ul>\n\n\n\n<p>These artefacts are used to validate that <strong>controls are operating<\/strong>, not just defined.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Relationship with Other DORA Article 28 Controls<\/strong><\/h2>\n\n\n\n<p>CI\/CD pipelines often act as the <strong>enforcement layer<\/strong> for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>contractual requirements,<\/li>\n\n\n\n<li>security policies,<\/li>\n\n\n\n<li>exit strategy constraints.<\/li>\n<\/ul>\n\n\n\n<p>They bridge legal, security, and engineering domains \u2014 making them central to Article 28 compliance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Key Takeaway<\/strong><\/h2>\n\n\n\n<p>Under DORA Article 28, CI\/CD pipelines are not neutral automation tools.<\/p>\n\n\n\n<p>They are <strong>high-risk ICT third-party integration points<\/strong>.<\/p>\n\n\n\n<p>Organizations that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>explicitly govern CI\/CD third-party services,<\/li>\n\n\n\n<li>enforce controls within pipelines,<\/li>\n\n\n\n<li>and generate continuous evidence<\/li>\n<\/ul>\n\n\n\n<p>are significantly better positioned to pass Article 28 audits and manage real operational risk.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Related Content<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/compliance\/dora-article-28-architecture-third-party-risk-controls-across-ci-cd-pipelines\/\" data-type=\"post\" data-id=\"364\">DORA Article 28 Architecture: Third-Party Risk Controls Across CI\/CD Pipelines<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/compliance\/dora-article-28-evidence-pack-what-to-show-auditors\/\" data-type=\"post\" data-id=\"347\">DORA Article 28 Evidence Pack \u2014 What to Show Auditors<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/ci-cd-governance\/ci-cd-security-checklist-for-enterprises\/\" data-type=\"post\" data-id=\"32\">CI\/CD Security Checklist for Enterprises<\/a><\/strong><\/li>\n\n\n\n<li><strong><a href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/ci-cd-audit-red-flags-what-immediately-raises-auditor-concerns\/\" data-type=\"post\" data-id=\"264\">CI\/CD Audit Red Flags<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n    <section class=\"rds-author-box rds-author-box--audit\"\r\n             dir=\"ltr\" lang=\"fr\"\r\n             style=\"border:1px solid rgba(100,116,139,.35);border-radius:14px;padding:16px 18px;margin:26px 0 18px;background:rgba(148,163,184,.08);\">\r\n      <strong style=\"margin:0 0 8px; font-size:14px; font-weight:700; letter-spacing:.02em;\">Contexte \u201caudit-ready\u201d<\/strong>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Contenu con\u00e7u pour les environnements r\u00e9glement\u00e9s : contr\u00f4les avant outils, enforcement par politiques dans le CI\/CD, et evidence-by-design pour l\u2019audit.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">Focus sur la tra\u00e7abilit\u00e9, les approbations, la gouvernance des exceptions et la r\u00e9tention des preuves de bout en bout.<\/p>\r\n      <p style=\"margin:0; font-size:14px; line-height:1.55;\">\r\n        <a href=\"https:\/\/regulated-devsecops.com\/fr\/fr\/about\/\">Voir la m\u00e9thodologie sur la page About.<\/a>\r\n      <\/p>\r\n    <\/section>\r\n    \n","protected":false},"excerpt":{"rendered":"<p>DORA Article 28 exige des entit\u00e9s financi\u00e8res qu&rsquo;elles g\u00e8rent les risques introduits par les fournisseurs de services ICT tiers. Dans la livraison logicielle moderne, les pipelines CI\/CD figurent parmi les syst\u00e8mes les plus d\u00e9pendants de tiers de l&rsquo;organisation. Les plateformes Git, les runners CI, les plugins et les registres d&rsquo;artefacts ne sont pas de simples &#8230; <a title=\"Risque tiers dans les pipelines CI\/CD sous DORA Article 28\" class=\"read-more\" href=\"https:\/\/regulated-devsecops.com\/fr\/regulatory-frameworks\/third-party-risk-in-ci-cd-pipelines-under-dora-article-28\/\" aria-label=\"En savoir plus sur Risque tiers dans les pipelines CI\/CD sous DORA Article 28\">Lire la suite<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126,123],"tags":[],"post_folder":[],"class_list":["post-1411","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks","category-ci-cd-governance"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/comments?post=1411"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/posts\/1411\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/media?parent=1411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/categories?post=1411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/tags?post=1411"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/fr\/wp-json\/wp\/v2\/post_folder?post=1411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}