Skip to main content

Pipeline Auditor

Security and DevOps specialist focused on auditing CI/CD pipelines, deployment configurations, and infrastructure as code.

Quick Reference

PropertyValue
DomainDevOps
FORGE Stage5 (VERIFY)
Version1.0.0
Output TypesAudit reports (JSON, Markdown)

Overview

Use this agent when you need to:
  • Audit GitHub Actions workflows for security vulnerabilities
  • Review Railway deployment configurations
  • Identify performance inefficiencies in CI/CD pipelines
  • Ensure compliance with security best practices
  • Generate remediation checklists with prioritized actions
  • Validate supply chain security (pinned actions, dependencies)
The Pipeline Auditor performs comprehensive security and performance analysis of CI/CD infrastructure, delivering actionable findings with severity ratings and remediation steps.

Core Capabilities

Security Audit

Identify vulnerabilities in CI/CD configs (secrets, permissions, supply chain)

Performance Analysis

Find inefficiencies in build/deploy pipelines (caching, parallelization)

Best Practice Review

Check compliance with DevOps standards and industry recommendations

Remediation Planning

Provide prioritized, actionable fix recommendations with code examples

When to Use

Auditing security of GitHub Actions workflows
Reviewing Railway deployment configurations
Identifying exposed secrets or hardcoded credentials
Validating supply chain security (action pinning)
Finding performance optimization opportunities
Ensuring SOC 2 or SLSA compliance
Not suitable for:
  • Application code security audits (use SAST tools)
  • Infrastructure audits beyond CI/CD and deployments
  • Real-time monitoring (this is point-in-time auditing)

Usage Examples

Comprehensive security audit of GitHub Actions workflows:
{
  "auditReport": {
    "generatedBy": "pipeline-auditor",
    "version": "1.0.0",
    "timestamp": "2024-01-15T10:30:00Z",
    "scope": {
      "repository": "so1-io/so1-control-plane-api",
      "auditType": "security",
      "filesAnalyzed": [
        ".github/workflows/ci.yml",
        ".github/workflows/deploy.yml"
      ]
    },
    "summary": {
      "critical": 1,
      "high": 2,
      "medium": 0,
      "low": 0,
      "totalFindings": 3
    },
    "findings": [
      {
        "id": "SEC-001",
        "severity": "critical",
        "category": "secrets",
        "title": "Hardcoded secret in workflow",
        "description": "API key appears hardcoded in deploy.yml line 45",
        "file": ".github/workflows/deploy.yml",
        "line": 45,
        "evidence": "API_KEY: \"sk-live-xxxx...\"",
        "impact": "Secret exposure in repository history",
        "remediation": "Remove hardcoded secret, use GitHub Secrets, rotate key",
        "cwe": "CWE-798"
      },
      {
        "id": "SEC-002",
        "severity": "high",
        "category": "permissions",
        "title": "Overly permissive workflow permissions",
        "description": "Workflow uses 'write-all' instead of least privilege",
        "file": ".github/workflows/ci.yml",
        "line": 8,
        "remediation": "Use granular permissions: contents: read, pull-requests: write",
        "cwe": "CWE-250"
      },
      {
        "id": "SEC-003",
        "severity": "high",
        "category": "supply-chain",
        "title": "Unpinned action versions",
        "description": "Actions use mutable tags instead of SHA pinning",
        "file": ".github/workflows/ci.yml",
        "line": 15,
        "evidence": "uses: actions/checkout@v4",
        "remediation": "Pin to SHA: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11",
        "cwe": "CWE-829"
      }
    ],
    "recommendations": [
      {
        "priority": "immediate",
        "action": "Rotate compromised API key (SEC-001)",
        "owner": "Security team",
        "deadline": "24 hours"
      }
    ]
  }
}
Result: Detailed security findings with CWE mappings, evidence, and immediate action items.

Outputs

Audit Report Structure

interface AuditReport {
  generatedBy: "pipeline-auditor";
  version: "1.0.0";
  timestamp: string;
  scope: {
    repository: string;
    auditType: "security" | "performance" | "full";
    filesAnalyzed: string[];
  };
  summary: {
    critical: number;
    high: number;
    medium: number;
    low: number;
    informational: number;
    totalFindings: number;
  };
  findings: Finding[];
  recommendations: Recommendation[];
  compliance?: ComplianceStatus;
}

Severity Definitions

SeverityDescriptionResponse Time
CriticalActive exploit possible, data exposure24 hours
HighSecurity weakness, requires action1 week
MediumShould be fixed, lower risk2 weeks
LowBest practice violation1 month
InformationalSuggestion for improvementAs capacity allows

Compliance Status

{
  "compliance": {
    "soc2": {
      "status": "partial",
      "gaps": ["SEC-001", "SEC-002"],
      "notes": "Secrets management needs improvement for CC6.1"
    },
    "slsa": {
      "level": 1,
      "targetLevel": 2,
      "gaps": ["SEC-003"],
      "notes": "Need hermetic builds and pinned dependencies for Level 2"
    }
  }
}

FORGE Gate Compliance

Entry Gates (Pre-conditions)

The repository or configuration to be audited must be specified with appropriate access permissions.
The audit type (security, performance, or full) and specific files/workflows to analyze must be determined.
Read access to .github/workflows/, railway.json, Dockerfile, and related infrastructure files.

Exit Gates (Post-conditions)

A complete audit report with findings, severity ratings, and evidence is produced in JSON format.
All security vulnerabilities are categorized by severity (critical, high, medium, low) with CWE mappings.
Each finding includes specific, actionable remediation steps with code examples where applicable.
If compliance frameworks (SOC 2, SLSA) are relevant, gaps and current status are documented.

Integration Points

Control Plane API

// Store audit results
POST /api/v1/audits
{
  "repository": "so1-io/so1-control-plane-api",
  "auditType": "security",
  "summary": {
    "critical": 1,
    "high": 2,
    "medium": 3
  },
  "findings": [...],
  "auditedAt": "2024-01-15T10:30:00Z"
}

// Retrieve audit history
GET /api/v1/audits?repository=so1-io/so1-control-plane-api

Veritas Prompts

Prompt IDPurpose
vrt-i9j0k1l2Security audit checklist (comprehensive security review criteria)
vrt-m3n4o5p6Performance optimization patterns (CI/CD efficiency techniques)

Audit Checklists

GitHub Actions Security

CheckSeverityDescription
Secrets in codeCriticalNo hardcoded secrets in workflows
PermissionsHighLeast-privilege permissions used
Action pinningHighActions pinned to SHA, not tags
Third-party actionsMediumTrusted publishers only
Workflow triggersMediumNo dangerous trigger combinations (e.g., pull_request_target with code execution)
Environment protectionMediumProduction requires approval
OIDC for cloudMediumUse OIDC instead of long-lived tokens
Artifact handlingLowNo sensitive data in artifacts

Railway Security

CheckSeverityDescription
Variable exposureHighNo secrets in railway.json
Network policyMediumInternal services not publicly exposed
Resource limitsMediumMemory/CPU limits set appropriately
Health checksMediumHealth endpoints configured
Replica countLowHA (2+ replicas) for production services

Container Security

CheckSeverityDescription
Base imageHighOfficial, minimal base image used
Root userHighNon-root user configured
Secrets in imageCriticalNo secrets baked into Dockerfile
Layer optimizationLowMulti-stage builds used
Vulnerability scanMediumNo critical CVEs in dependencies
AgentRelationshipUse Case
GitHub Actions EngineerAuditsReviews generated workflows for security issues
Railway DeployerAuditsReviews deployment configs for vulnerabilities
Incident CommanderEscalatesReceives alerts for critical security findings
Runbook WriterDocumentsCreates remediation runbooks from audit findings

Source Files

View Agent Source

Repository: so1-io/so1-agents
Path: agents/devops/pipeline-auditor.md
Version: 1.0.0

Common Patterns

Finding Categories

Security (SEC-xxx):
  • Exposed secrets (hardcoded, in logs, in history)
  • Overly permissive permissions
  • Supply chain risks (unpinned actions, untrusted publishers)
  • Insecure workflow triggers
Performance (PERF-xxx):
  • Missing dependency caching
  • Sequential jobs that could be parallel
  • Inefficient resource allocation
  • Redundant build steps
Best Practice (BP-xxx):
  • Missing concurrency controls
  • No timeout configurations
  • Insufficient error handling
  • Missing documentation

Common Audit Failures

ErrorCauseResolution
Access deniedMissing repo permissionsRequest read access to repository
File not foundWorkflow path incorrectVerify .github/workflows/ directory exists
Parse errorInvalid YAML syntaxFix YAML syntax before running audit
Rate limitToo many API callsImplement rate limiting or use GitHub App

Success Metrics

MetricTargetMeasurement
Finding Accuracy>95%Valid findings / total findings
Coverage100%Files analyzed / files in scope
Remediation Rate>80%Fixed findings / total findings (30 days)
False Positive Rate<5%False positives / total findings
Next Steps: