Automated Governance

What is it?

Automated Governance is the process of programmatically ensuring that software changes are audited for compliance against the required security and compliance standards of the organization prior to being released to a production environment.

Why would I use it?

Ultimately an implementation of automated governance contributes to a teams ability to deliver value faster. The goal of automated governance is to allow teams to address risks earlier in the development process and prove out the integrity of the assets created during development.

How is it implemented?

Ideally an automated governance implementation is achieved through the CI/CD pipeline and tooling.

For an implementation to work, the participation of a development team and the governance team is required.

The Governance team is responsible for writing policies and creating automated governance infrastructure that integrates into pipelines.

Automated governance policy checks will be ran in the CI/CD pipeline to validate the assets before the deployment to production.

The development team is responsible for resolving any failing policy checks for their pipelines.

Additional info

This was a general description of automated governance. For tooling and implementation details please see the example and demo below:

This example demonstrates how to implement a trusted CI build system using automated governance: https://github.com/liatrio/gh-trusted-builds-app and this demo video walks you through that demo: Demonstrating Enterprise Software Governance with GitHub Actions