Git-native automation · DevSecOps practice

If it isn't in Git,
it doesn't exist.

We build the automation serious teams run on — CI/CD pipelines on GitLab and GitHub Actions, GitOps delivery, infrastructure as code across AWS, GCP, and Azure — with security engineered into every stage, not bolted on at the end.

Run a checkStart an engagement
GitLab CI · GitHub ActionsAWS · GCP · AzureGitOps · IaC
STACK
GitLab CI/CD·GitHub Actions·Terraform / OpenTofu·Argo CD · Flux·Kubernetes·HashiCorp Vault·Sigstore · SLSA·AWS · GCP · Azure
What we do

Practice areas.

Fixed-scope engagements from a one-week pipeline review to multi-month platform builds. Every engagement ends with working pipelines and documentation in your repos — not slides.

01

CI/CD pipeline engineering

Pipelines that are fast, reproducible, and impossible to bypass.

GitLab CI and GitHub Actions architecture done properly — reusable components and workflows, dependency caching that actually hits, OIDC federation to cloud providers instead of long-lived keys, and required checks that make the pipeline the only path to production. We treat CI as a production system, because it is one.

GitLab CI componentsReusable GitHub workflowsOIDC cloud federationBuild-time optimization
02

GitOps & continuous delivery

The cluster state is a Git repo. Everything else is drift.

Argo CD and Flux deployments where every environment is declared, every change is a commit, and every rollback is a revert. Progressive delivery with automated analysis. Drift detection that pages someone when reality diverges from the repo. Preview environments from branches.

Argo CD / Flux architectureProgressive deliveryDrift detectionPreview environments
03

Infrastructure as code

Cloud infrastructure with a commit history.

Terraform and OpenTofu across AWS, GCP, and Azure — module design that scales past one team, remote state strategy with proper locking, plan-time policy checks, and import workflows for the resources someone once clicked into existence. The goal: the console becomes read-only.

Terraform module designMulti-cloud landing zonesState & locking strategyPolicy-as-code gates
04

Secrets & identity in pipelines

Short-lived credentials, everywhere. No exceptions.

HashiCorp Vault with dynamic secrets for databases, cloud accounts, and network devices. OIDC trust between your CI provider and your cloud so pipelines authenticate with identity, not with a key pasted into settings two years ago. Key rotation as an automated pipeline, not a quarterly calendar event.

Vault dynamic secretsCI ↔ cloud OIDC trustAutomated key rotationSecret scanning gates
05

Supply-chain security in CI

Prove what shipped — and that the pipeline built it.

SLSA-aligned builds that produce signed, attested artifacts with verifiable provenance. SBOM generation and signing with Sigstore. Admission control that refuses anything unsigned. When an incident happens, you answer "what code is in production" from cryptographic evidence, not tribal memory.

SLSA Level 3 pipelinesSigstore / Cosign signingSBOM + provenanceAdmission control
06

Pipeline-native security checks

Every posture check becomes a commit status.

Security findings that block merges, not findings that age in a dashboard. TLS and domain posture gates, container scanning with policy thresholds, IaC misconfiguration checks, dependency review — wired into the pipeline so the default path is the secure path. Our public TLS check is a working example.

TLS posture gatesContainer scan policyIaC misconfig checksDependency review gates
How we think

Six operating principles.

These shape every engagement. They're opinionated on purpose — automation work without an opinion produces pipelines nobody trusts.

If it isn't in Git, it doesn't exist.

Infrastructure, pipelines, policies, runbooks, detection rules — everything lives in a repo with history, review, and rollback. Console changes are incidents waiting for a root cause.

Pipelines are production.

CI runners have credentials to everything you own. We design them with the same rigor as customer-facing systems: least privilege, short-lived identity, audit trails, and tested disaster recovery.

Short-lived credentials only.

A static key in CI settings is a breach with a delay timer. OIDC federation between your CI provider and your cloud means every job authenticates with identity that expires in minutes.

Checks shift left until they're commit statuses.

A security finding in a quarterly report is noise. The same finding as a failed merge check is a fix. We wire posture, policy, and provenance into the pipeline so the secure path is the default path.

Reproducible or broken.

A build that works "on the runner" but can't be reproduced from a clean clone is already broken — you just haven't needed to prove it yet. Pinned dependencies, hermetic builds, attested provenance.

Document in the repo, for the next engineer.

Architecture Decision Records next to the Terraform. Runbooks with exact commands next to the pipelines. The work outlasts the engagement because it lives where the work lives.

What we believe

Positions.

Opinions, stated clearly. These shape what engagements we take on and what we recommend when we do. Read them as a calibration before working with us.

BULLISH

OIDC federation between CI and cloud.

GitHub Actions and GitLab CI both issue OIDC tokens that AWS, GCP, and Azure can trust natively. That kills the single most common breach vector in modern delivery: long-lived cloud keys sitting in CI variables. Migration takes days, removes an entire credential class, and costs nothing. There is no longer a defensible reason to keep static cloud keys in pipeline settings.

BEARISH

ClickOps — even "just this once."

Every console change creates a resource with no history, no review, and no owner. Six months later it's load-bearing and nobody knows why. The fix isn't discipline — discipline doesn't scale. The fix is making the pipeline path easier than the console path, then making the console read-only.

BULLISH

GitOps with drift detection as the deployment model.

Declared state in Git, an operator reconciling the cluster toward it, and alerts when reality diverges. Rollback becomes git revert. Audit becomes git log. Disaster recovery becomes pointing a fresh cluster at the repo. Argo CD and Flux are both mature; the pattern matters more than the tool.

BEARISH

Snowflake CI servers.

A self-hosted CI box that someone configured by hand in 2021, that nobody dares restart, with credentials to every environment — that is not infrastructure, it is a hostage situation. Runners should be ephemeral, defined as code, and rebuilt from scratch without ceremony.

BULLISH

Signed, attested builds as table stakes.

SLSA provenance and Sigstore signing are operationally cheap now — a few lines in a workflow. Combined with admission control that refuses unsigned artifacts, they turn "what is running in production?" from an investigation into a query. Teams that adopt this before their first supply-chain incident are the ones that get to skip having a story about it.

NEUTRAL

Monorepo vs. polyrepo.

Both work. Monorepos buy atomic cross-cutting changes and shared tooling at the cost of CI complexity and access-control granularity. Polyrepos buy isolation and simple permissions at the cost of version-drift coordination. The wrong answer is migrating to whichever one you don't have because a blog post said so. Pick based on your team topology and stay put.

gitlogy checks

Posture gates for your pipeline.

The first public check audits TLS, certificate, DNS, and header posture for any domain — 25+ findings with AI-prioritized remediation. Run it interactively, or call the API from CI and fail the build when the score drops below your threshold.

.github/workflows/deploy.yml
tls-gate:
  runs-on: ubuntu-latest
  steps:
    - name: TLS posture gate
      run: |
        SCORE=$(curl -s "https://gitlogy.com/api/scan?domain=example.com" | jq .score)
        echo "TLS score: ${SCORE}"
        test "${SCORE}" -ge 90   # fail the pipeline below A grade
25+
Findings across certificate, chain, TLS, DNS, headers
JSON
One GET request — pipe it into jq, gate on any field
PQ
Hybrid X25519MLKEM768 key-exchange detection
AI
Findings translated into prioritized remediation
Run the TLS check →
Start an engagement

Bring us the pipeline nobody wants to touch.

Discovery calls are 30 minutes. We listen, push back where it helps, and tell you honestly whether the engagement is a fit. If it isn't, we'll often point you to someone or something that is.

[email protected]Try a check first
Remote-first · Available across EU, APAC, and the Americas.