11 Compliance

 

This chapter covers

  • Ensuring your work and commits are traceable
  • Enforcing the four-eyes principle in pull requests
  • Setting up the CODEOWNERS file to enforce reviewers
  • Enabling mandatory workflows

This chapter helps you set up your GitHub workflows so that you can comply with almost any compliance framework in use in the industry. Regarding compliance, most compliance frameworks have two primary risk mitigations you need to implement to be compliant. First, you need to have the ability to prove who has made a change and show what changed and at which point in time. This is often referred to as traceability. Second, you need to be able to enforce this change being reviewed by someone else—preferably, someone with a different role in the change process. This process is referred to as the four-eyes principle. In this chapter, we describe how to enable these controls so that you can comply with most industry frameworks.

11.1 How to ensure traceability of work

11.1.1 How to ensure commits are traceable

11.2 How to enforce the four-eyes principle

11.2.1 Enforcing segregation of duties with CODEOWNERS file

11.2.2 Showing end-to-end traceability

11.3 Mandatory workflows

Summary