11 Compliance
This chapter covers
- Ensuring traceability of work
- Ensuring commits are traceable
- Enforcing a Four Eyes Principle with pull requests
- Setting up the CODEOWNERS file to enforce reviewers
- Enabling mandatory workflows
This chapter helps you set up your GitHub workflows so that you can comply with almost any compliance framework in use in our industry. Regarding compliance, most compliance frameworks have two primary risk mitigations that you need to implement to be compliant. First, you need to have the ability to prove who has made a change and show what changed and at which point in time. This is often referred to as traceability of a change. Second, you need to be able to enforce that change is reviewed by someone else. Preferably, that person has a different role in the change process. This is referred to as the Four Eyes Principle. In this chapter, we describe how to enable these controls so you should be able to comply with most industry frameworks.