β Prevent self-approvals
β Detect reassigned approvals
β Enforce runtime approver validation
In modern CI/CD platforms, any user with pipeline permissions can often:
- Approve their own code
- Reassign approvals to fake accounts
- Bypass role-based separation of duties (SoD)
SecureCICD closes this gap by enforcing approval integrity at runtime, even if the UI or DevOps permissions fail to.
At deployment time, the pipeline calls:
POST /validate-approval
SecureCICD checks:
- Was the approver the original author?
- Was the approval reassigned?
- Is the approver on the approved allowlist (env-based or group-based)?
If any check fails β 403 Forbidden
- name: Validate approval
run: |
curl -X POST https://securecicd.com/validate-approval \
-H "Content-Type: application/json" \
-d '{
"approver": "${{ github.actor }}",
"author": "${{ github.event.commits[0].author.name }}",
"reassigned": false,
"pipeline_id": "${{ github.workflow }}",
"commit_id": "${{ github.sha }}"
}'uvicorn src.main:app --reload
curl http://localhost:8000/health{
"approver": "release-admin",
"author": "developer-a",
"reassigned": false,
"pipeline_id": "deploy-prod",
"commit_id": "abc123def"
}403 Self-approval not allowed403 Approval reassignment not allowed403 Approver not in allowlist
SecureCICD/
βββ src/ # FastAPI validator
βββ tests/ # Unit tests
βββ .github/actions/ # GitHub integration
βββ .azuredevops-extension/ # Azure Pipelines task
βββ docs/ # Static site + blog (GitHub Pages)
βββ README.md # Developer quickstart
βββ DEPLOYMENT.md # DevOps/SecOps integration guide
βββ ARCHITECTURE.md # Internal system designSecureCICD is directly aligned with:
- OWASP CI/CD Top 10
- SOC 2 / SOX separation of duties
- DORA approval integrity requirements
- GitHub Enterprise / Azure DevOps audit trail goals
MIT β Free for commercial and private use.
Created by NextSecurity π‘οΈ