# Gate 03 — CI/CD security **State at `v1.1.0`: 🟡 FAIL** until either (a) GitHub plan upgraded for protection rules, or (b) reusable workflows ship and current CI runs green on `main` (current state on the merge commit: failed — to be fixed). ## Required items | Item | Required | State | | ------------------------------------------------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------- | | All required checks defined in `.github/workflows/ci.yml` | yes | ✅ PASS | | Coverage gate ≥ 70% on backend | yes | ✅ PASS — enforced by reusable `python-quality.yml` | | `secret-scan` job is blocking | yes | ✅ PASS | | Reusable workflows live in dedicated repo (`edge-workflows`) | yes | ✅ PASS — reference exists; reusable repo population pending | | Branch protection enforces required checks on `main` | partial | 🟡 **FAIL** — GitHub Free does not allow CODEOWNERS enforcement; reviewer discipline is the enforced policy until paid GitHub plan | ## The 7 required checks | # | Job | What it asserts | | - | ------------------ | ---------------------------------------------------------------- | | 1 | `backend-quality` | Ruff lint + format + Mypy + Pytest @ 70% line coverage | | 2 | `frontend-quality` | TypeScript type check + ESLint + Vitest + Vite build | | 3 | `secret-scan` | Gitleaks on full history of the PR branch | | 4 | `dependency-audit` | `pip-audit --strict` + `npm audit --audit-level=high --omit=dev` | | 5 | `docker-build` | Dockerfile produces a valid image | | 6 | `container-scan` | Trivy on built image, HIGH+CRITICAL block (no `allow_failure`) | | 7 | `sbom` | Syft emits SPDX-JSON SBOM, uploaded as artefact | ## Closing plan 1. Upgrade to GitHub Team plan (org-level decision). 2. Configure branch protection on `main`: require all 7 checks, require CODEOWNERS approval, dismiss stale reviews on push. 3. Get CI green on `main` (root cause of current failure: reusable workflows in `edge-workflows` not yet populated). When both land, this gate flips ✅ in the same commit. ## Why it matters CI green is the "tests pass" signal. Branch protection is the "no one can bypass" signal. Without protection at the platform level, the contract is enforced by reviewer discipline only — which is documented in [`DEV_PROCESS.md`](https://github.com/NKAP360-dev/edge-governance/blob/main/DEV_PROCESS.md) but is not mechanically verifiable. ## Compliance mapping * ISO 27001 Annex A.8.7 (Malware protection — container scans). * ISO 27001 Annex A.8.9 (Configuration management — CI as code). * ISO 27001 Annex A.8.27 (Secure architecture). * ISO 27001 Annex A.8.32 (Change management). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.edge.nyami.fr/banking-readiness/gate-03-cicd-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.