Module 2: Built-in Compliance & Security

In this module, you’ll demonstrate how OpenShift Pipelines integrates security scanning and policy enforcement directly into automated workflows, reducing vulnerabilities by 90% while maintaining the accelerated deployment velocity HealthTech achieved in Module 1.

Part 1: Automated Security Scanning in Pipelines

Know

HealthTech faces a critical compliance challenge: manual security reviews discover 200+ vulnerabilities monthly, and remediation restarts the entire 3-week deployment cycle. Healthcare regulations (HIPAA, SOC2) require comprehensive security controls, but traditional "security at the end" approaches slow deployment velocity.

Current Security Process:

  • Developer commits code without security feedback

  • Application is built and deployed to staging environment

  • Security team manually reviews configuration (4-6 days later)

  • Vulnerability scanning happens after deployment (not before)

  • Discovered vulnerabilities require complete deployment restart (3 weeks)

Business Impact of Manual Security:

  • 200+ vulnerabilities discovered monthly in production deployments

  • Average remediation time: 4-6 weeks per vulnerability

  • Security team is a bottleneck, blocking all deployments for review

  • Compliance audit preparation consumes 3 FTEs for 6 weeks annually

  • Risk of HIPAA violations and regulatory fines for healthcare data exposure

Healthcare Regulatory Requirements:

HIPAA (Health Insurance Portability and Accountability Act):

  • Protected Health Information (PHI) must be encrypted in transit and at rest

  • Access controls must restrict PHI to authorized users only

  • Audit trails must track all PHI access and modifications

  • Security risk assessments must be conducted regularly

  • Breach notification required within 60 days of discovery

SOC2 (System and Organization Controls):

  • Security controls must be documented and tested

  • System availability and confidentiality must be ensured

  • Change management processes must be auditable

  • Vulnerability management must be proactive

  • Annual audits validate control effectiveness

What OpenShift Pipelines Changes:

OpenShift Pipelines integrates security scanning directly into the CI/CD workflow using "shift-left" security practices. Container image scanning, vulnerability detection, and policy enforcement happen automatically during the build process, before code reaches production.

Benefits of Automated Security:

  • Vulnerabilities discovered during build (minutes) instead of post-deployment (weeks)

  • Developer feedback loop: fix issues in the same sprint, not months later

  • Policy enforcement prevents non-compliant images from deploying

  • Automated compliance evidence for HIPAA and SOC2 audits

  • 90% reduction in production vulnerabilities through early detection

Show

Optional visual: Architecture diagram showing security scanning integrated into pipeline stages (git-clone → build → scan → policy-check → deploy)

What I say:

"HealthTech’s security team currently reviews deployments manually, discovering vulnerabilities weeks after code is written. Let me show you how OpenShift Pipelines integrates automated security scanning directly into the deployment workflow, catching vulnerabilities before they reach production."

What I do:

  1. Return to the OpenShift web console

    • You should still be logged in from Module 1

    • Navigate to the Developer perspective

    • Select the healthtech-pipelines project

  2. Add security scanning to your existing pipeline

    • In the left navigation, click "Pipelines"

    • Click the healthtech-patient-portal-pipeline you created in Module 1

    • Click "Actions" → "Edit Pipeline"

  3. Add the image scanning Task

    • Click "+ Add task" after the buildah Task (before deployment)

    • Search for skopeo-copy or use a custom scanning Task

    • For this demo, we’ll simulate with an openshift-client Task that runs image inspection

  4. Insert a security scanning simulation Task

    • Click "+ Add task" between buildah and openshift-client

    • Search for openshift-client Task

    • Name it: security-scan

    • This Task will simulate vulnerability scanning (in production, use Quay security scanning or integrated tools)

  5. Configure the security scan Task

    • In the SCRIPT field, enter:

      # Simulate security scanning
echo "Running container image security scan..."
oc image info image-registry.openshift-image-registry.svc:5000/healthtech-pipelines/patient-portal:latest

echo "Checking for known vulnerabilities..."
echo "✓ No critical vulnerabilities detected"
echo "✓ No high-severity vulnerabilities detected"
echo "⚠ 2 medium-severity vulnerabilities detected (acceptable threshold)"

echo "Security scan passed - proceeding to deployment"

  6. Add policy enforcement logic

    • Update the script to include policy checks:

      # Simulate security scanning
echo "Running container image security scan..."
oc image info image-registry.openshift-image-registry.svc:5000/healthtech-pipelines/patient-portal:latest

echo "Checking for known vulnerabilities..."
CRITICAL_VULNS=0
HIGH_VULNS=0
MEDIUM_VULNS=2

if [ $CRITICAL_VULNS -gt 0 ] || [ $HIGH_VULNS -gt 0 ]; then
  echo "❌ Security scan FAILED: Critical or high-severity vulnerabilities detected"
  echo "Pipeline halted - vulnerabilities must be remediated before deployment"
  exit 1
fi

echo "✓ Security scan PASSED - no critical or high-severity vulnerabilities"
echo "⚠ $MEDIUM_VULNS medium-severity vulnerabilities (within acceptable threshold)"
echo "Proceeding to deployment..."

  7. Save the updated pipeline

    • Click "Save" to update the pipeline definition

    • Your pipeline now includes automated security scanning between build and deployment

  8. Run the pipeline with security scanning

    • Click "Actions" → "Start"

    • Click "Start" to trigger a new PipelineRun

    • Watch the pipeline execute with the new security-scan Task

  9. Observe the security scanning Task

    • The pipeline visualization shows: git-clone → buildah → security-scan → openshift-client

    • Click the security-scan Task to view logs

    • See the automated vulnerability check results

    • Notice that deployment only proceeds after security scan passes

What they should notice:

  • ✓ Security scanning happens automatically during the build process (not weeks later)

  • ✓ Policy enforcement prevents vulnerable images from reaching production

  • ✓ Developers get immediate feedback if vulnerabilities are detected

  • ✓ No manual security team review required for every deployment

  • Metric highlight: "HealthTech’s security team reviewed every deployment manually, taking 4-6 days. This automated scan completes in 2 minutes and blocks vulnerable code before it deploys."

Optional visual: Screenshot of pipeline with security-scan Task showing green checkmark and vulnerability report

If asked:

Q: "What scanning tools does OpenShift Pipelines support?"

A: "OpenShift Pipelines integrates with multiple scanning tools:

  • Red Hat Quay: Built-in vulnerability scanning with Clair engine

  • Trivy: Open-source container scanning

  • Anchore: Policy-based scanning and compliance

  • Snyk: Developer-focused vulnerability detection

  • Aqua Security, Prisma Cloud: Enterprise security platforms

You choose the tool that matches your existing security stack, and OpenShift Pipelines orchestrates it automatically."

Q: "How do we customize security policies for our specific compliance requirements?"

A: "OpenShift provides multiple policy enforcement mechanisms:

  • Image Registry Policies: Define which registries are trusted

  • Security Context Constraints (SCCs): Control container permissions

  • Network Policies: Restrict network access between applications

  • Admission Controllers: Block deployments that violate custom rules

We can configure these policies to match your specific HIPAA and SOC2 requirements."

Q: "What happens if a vulnerability is discovered in production?"

A: "OpenShift Pipelines combined with image scanning provides continuous monitoring:

  1. Quay continuously scans all images in your registry

  2. If a new vulnerability (CVE) is published, Quay flags affected images

  3. Automated notifications alert your team via Slack, email, or ticketing systems

  4. Trigger a pipeline rebuild with patched base images

  5. Redeployment follows your standard approval process

This proactive approach reduces exposure time from weeks to hours."

Part 2: Policy Enforcement and Compliance Automation

Know

Beyond vulnerability scanning, HealthTech must prove compliance with healthcare regulations through comprehensive audit trails, access controls, and automated policy enforcement. Manual compliance processes cannot scale with 40% annual growth and 5x faster deployment velocity.

Current Compliance Burden:

  • Annual SOC2 audit preparation: 3 FTEs × 6 weeks = 18 person-weeks

  • Quarterly HIPAA compliance reviews: Manual evidence collection across teams

  • Change management documentation: Spreadsheets and tickets scattered across systems

  • Audit trail reconstruction: Correlating Git commits, tickets, and deployment logs manually

  • Policy enforcement: Manual security team review for every deployment

Compliance Requirements for Healthcare:

Change Management (SOC2):

  • All production changes must be documented with who, what, when, why

  • Approval workflows must be enforced for production deployments

  • Rollback procedures must be tested and validated

  • Change success/failure must be tracked

Access Controls (HIPAA):

  • Principle of least privilege: Users only have access needed for their role

  • Multi-factor authentication for production access

  • Audit logs for all privileged actions

  • Automatic session termination after inactivity

Data Protection (HIPAA):

  • PHI encryption in transit (TLS 1.2+) and at rest (AES-256)

  • Encryption key management with rotation

  • Data access logging and monitoring

  • Automated breach detection and notification

What OpenShift Pipelines Provides for Compliance:

Automated Audit Trails:

  • Every pipeline run logged with user, timestamp, Git commit, and artifacts

  • Immutable records stored in OpenShift (cannot be tampered with)

  • Integration with SIEM systems (Splunk, ELK) for centralized compliance reporting

  • Git history + pipeline logs + deployment records = complete change audit trail

Policy as Code:

  • Admission webhooks enforce policies automatically (no manual review)

  • Policies defined in Git, versioned and auditable

  • Consistent enforcement across all environments and regions

  • Automated blocking of non-compliant deployments

Role-Based Access Control (RBAC):

  • OpenShift RBAC integrated with enterprise identity providers (Active Directory, Okta)

  • Developers can run pipelines, but cannot bypass security checks

  • Production deployments require approval from authorized personnel

  • All access logged for audit purposes

Show

What I say:

"HealthTech spends 18 person-weeks annually preparing for SOC2 audits, manually collecting evidence of compliance controls. Let me show you how OpenShift Pipelines generates automated audit trails and enforces policies, reducing audit preparation from weeks to days."

What I do:

  1. Demonstrate automated audit trail

    • In the OpenShift web console, navigate to the Pipelines view

    • Click the healthtech-patient-portal-pipeline

    • Click the "PipelineRuns" tab to see execution history

  2. Show detailed audit information

    • Click the most recent PipelineRun

    • Observe the audit trail information:

    • Who: User who triggered the pipeline (or automated webhook)

    • What: Git commit SHA, branch, repository URL

    • When: Timestamp of pipeline start and completion

    • Why: Commit message and associated ticket/issue number

    • Outcome: Success or failure, with detailed logs

  3. Export audit trail for compliance reporting

    • Click "Actions" → "View YAML"

    • Show the PipelineRun resource definition

    • Explain: "This YAML contains complete audit trail information that can be exported for compliance reporting"

  4. Demonstrate policy enforcement with approval gates

    • Navigate to "Pipelines" → "Create" → "Pipeline"

    • Explain: "For production deployments, HealthTech requires approval from authorized personnel. Let me show you how to add approval gates to pipelines."

  5. Add a manual approval Task (simulation)

    • Add a Task called manual-approval

    • Explain the approval workflow:

      # Pipeline pauses at this Task
# Authorized approvers receive notification
# Deployment proceeds only after approval
# All approvals logged for audit trail

  6. Show integration with external approval systems

    • Explain: "OpenShift Pipelines integrates with approval tools like:

    • ServiceNow: Create change request, wait for approval

    • Slack: Post approval request, wait for authorized user response

    • Jira: Link deployment to ticket, require ticket status change

    • Custom webhooks: Integrate with any approval system via API"

  7. Demonstrate compliance reporting

    • Navigate to a different terminal or browser tab

    • Show a sample compliance report generated from pipeline data:

      # Example: Generate compliance report for Q4 2024
oc get pipelineruns -n healthtech-pipelines \
  -o json | jq '.items[] | {
    timestamp: .status.startTime,
    user: .metadata.labels.user,
    commit: .spec.params[] | select(.name=="git-revision") | .value,
    outcome: .status.conditions[].status
  }'

  8. Show the compliance report output

    • Explain: "This JSON output can be ingested by Splunk, ELK, or compliance reporting tools"

    • Highlight the automatic evidence generation:

    • All production deployments

    • User who deployed

    • Git commit and code review evidence

    • Security scan results

    • Success/failure outcomes

What they should notice:

  • ✓ Complete audit trail generated automatically (no manual documentation)

  • ✓ Immutable records stored in OpenShift (tamper-proof evidence)

  • ✓ Approval gates enforce policy without slowing developer velocity

  • ✓ Integration with enterprise compliance tools (ServiceNow, SIEM)

  • Metric highlight: "HealthTech’s annual SOC2 audit preparation drops from 18 person-weeks to 2 person-weeks. Automated audit trails eliminate manual evidence collection."

Optional visual: Screenshot of PipelineRun details showing complete audit trail (user, timestamp, commit, outcome)

If asked:

Q: "How do we integrate with our existing ServiceNow change management process?"

A: "OpenShift Pipelines can integrate with ServiceNow in two ways:

  1. Approval Gates: Pipeline pauses and creates ServiceNow change request. Deployment proceeds only after approval.

  2. Notification: Pipeline posts deployment details to ServiceNow for tracking, but doesn’t block deployment.

For HealthTech’s HIPAA requirements, we’d recommend option 1 for production deployments."

Q: "Can we customize audit log retention and storage?"

A: "Yes. OpenShift Pipelines stores PipelineRun resources in etcd (Kubernetes database) with configurable retention:

  • Default: PipelineRuns retained for 30 days

  • Extended: Configure retention policy for 1 year+ (compliance requirement)

  • External Export: Forward logs to external SIEM (Splunk, ELK, Datadog) for long-term storage

For healthcare compliance, we recommend 7-year retention in external SIEM systems."

Q: "How do we prove that security scans actually ran and weren’t bypassed?"

A: "OpenShift Pipelines enforces Task execution order. If your pipeline is defined as:

  1. git-clone → buildah → security-scan → deploy

The deploy Task cannot run until security-scan completes successfully. This is enforced by Kubernetes admission controllers and cannot be bypassed without cluster admin privileges. Additionally:

  • RBAC controls who can edit pipeline definitions

  • All pipeline definition changes are tracked in Git

  • Admission webhooks can block deployment of non-scanned images

For HIPAA compliance, we also recommend image signing (Red Hat Sigstore integration) to cryptographically prove images passed security scans."

Part 3: Continuous Compliance Monitoring

Know

Static compliance checks during deployment are necessary but not sufficient. HealthTech must continuously monitor deployed applications for configuration drift, newly discovered vulnerabilities, and policy violations in production environments across 11 regional data centers.

The Challenge of Continuous Compliance:

  • New CVEs (Common Vulnerabilities and Exposures) published daily

  • Configuration drift occurs when manual changes bypass CI/CD

  • Policy violations may occur in production due to user error or malicious activity

  • Multi-region deployments require consistent compliance posture across all locations

Traditional Approach Limitations:

  • Periodic manual audits (quarterly or annually) only provide point-in-time compliance

  • Vulnerabilities may exist in production for weeks before discovery

  • No automated remediation, only manual processes

  • Regional inconsistencies discovered during audits, not proactively

What Continuous Compliance Provides:

  • Real-time monitoring of deployed applications for policy violations

  • Automatic vulnerability scanning of all container images in production

  • Drift detection when configuration changes bypass GitOps workflows

  • Centralized compliance dashboards showing posture across all regions

Show

What I say:

"Passing security scans during deployment is just the beginning. HealthTech needs continuous monitoring to detect newly discovered vulnerabilities and policy violations in production. Let me show you how OpenShift provides ongoing compliance visibility."

What I do:

  1. Demonstrate Red Hat Quay integration (if available)

    • Navigate to Red Hat Quay registry (or explain the integration)

    • Show container image repository for patient-portal

    • Highlight the security scanning features:

    • Continuous vulnerability scanning

    • Automatic rescanning when new CVEs are published

    • Severity-based notifications

    • Historical vulnerability tracking

  2. Show OpenShift Compliance Operator (if available)

    • Navigate to "Operators" → "Installed Operators"

    • Find "Compliance Operator" (if installed, or explain its purpose)

    • Explain: "The Compliance Operator runs continuous compliance scans against OpenShift clusters using industry-standard benchmarks like CIS, PCI-DSS, and HIPAA profiles."

  3. Demonstrate continuous monitoring workflow

    • Explain the continuous compliance process:

      1. Applications deployed via OpenShift Pipelines
2. Red Hat Quay continuously scans container images
3. Compliance Operator monitors cluster configuration
4. New CVE published → Quay detects vulnerable images
5. Automated notification to security team
6. Pipeline automatically rebuilds with patched base image
7. GitOps (ArgoCD) redeploys patched application
8. Complete remediation cycle: hours instead of weeks

  4. Show compliance dashboard (simulated)

    • Navigate to OpenShift web console → "Observe" → "Dashboards"

    • Show (or describe) a compliance dashboard with:

    • Number of compliant vs non-compliant workloads

    • Vulnerability severity distribution (critical, high, medium, low)

    • Policy violation alerts

    • Remediation status tracking

  5. Explain integration with SIEM systems

    • Describe the compliance data flow:

    • OpenShift Pipelines → Pipeline execution logs

    • Red Hat Quay → Image vulnerability reports

    • Compliance Operator → Cluster compliance scan results

    • All data forwarded to Splunk/ELK via log forwarding

    • Centralized compliance dashboard for HealthTech’s 11 regions

What they should notice:

  • ✓ Continuous monitoring detects vulnerabilities in production (not just during deployment)

  • ✓ Automated remediation workflows reduce vulnerability exposure time

  • ✓ Centralized visibility across all regional data centers

  • ✓ Proactive compliance instead of reactive auditing

  • Metric highlight: "HealthTech reduces vulnerability exposure time from 4-6 weeks (manual discovery and remediation) to 24-48 hours (automated detection and patching)."

Optional visual: Diagram showing continuous compliance loop (deploy → monitor → detect → remediate → redeploy)

If asked:

Q: "How do we prioritize vulnerability remediation across hundreds of applications?"

A: "Red Hat Advanced Cluster Security (ACS) and Quay provide risk-based prioritization:

  • Severity + Exploitability: Critical CVEs with known exploits get highest priority

  • Data Sensitivity: Applications handling PHI prioritized over internal tools

  • Network Exposure: Internet-facing applications prioritized over internal services

  • Compliance Impact: Vulnerabilities affecting HIPAA/SOC2 compliance prioritized

You can configure automated policies that trigger immediate pipeline rebuilds for critical vulnerabilities in high-priority applications."

Q: "What about compliance for the underlying OpenShift platform itself, not just our applications?"

A: "Red Hat OpenShift includes platform compliance features:

  • Compliance Operator: Scans OpenShift cluster configuration against CIS, PCI-DSS, HIPAA benchmarks

  • Automated Remediation: Many compliance failures can be auto-remediated

  • Red Hat Insights: Proactive vulnerability and configuration issue detection

  • Certified Operator Hub: Only deploy operators that meet Red Hat security standards

For healthcare, we also recommend FedRAMP or FIPS-validated OpenShift configurations."

Summary

In this module, you demonstrated how OpenShift Pipelines integrates security and compliance automation, transforming HealthTech’s manual audit-heavy process into proactive, continuous compliance:

What You Demonstrated:

  • Automated security scanning integrated directly into CI/CD pipelines

  • Policy enforcement that blocks vulnerable images before production deployment

  • Automated audit trail generation for HIPAA and SOC2 compliance

  • Approval gates for production deployments with full audit logging

  • Continuous compliance monitoring for deployed applications

Business Value Delivered:

  • 90% reduction in production vulnerabilities: Shift-left security catches issues during build

  • 89% less audit preparation time: 18 person-weeks → 2 person-weeks annually

  • 24-48 hour vulnerability remediation: vs 4-6 weeks manual process

  • Zero compliance delays: Automated evidence generation eliminates bottlenecks

  • Consistent multi-region compliance: Same policies enforced across all 11 data centers

Key "Wow Moments" Recap:

  • Security scan completes in 2 minutes (vs 4-6 days manual security team review)

  • Pipeline automatically blocks deployment if vulnerabilities detected (policy as code)

  • Complete audit trail generated automatically (who, what, when, why, outcome)

  • Approval gates enforce governance without slowing development velocity

Next Steps:

In Module 3, you’ll show how HealthTech uses OpenShift Pipelines to promote applications across dev → staging → production environments with approval gates, enabling safe multi-region deployments and production confidence.