1 Source control & code management
Repository structure
GitHub Enterprise
Monorepo (Nx workspace)
Branch protection rules
Signed commits (GPG)
CODEOWNERS enforcement
Branching strategy
main (protected)
develop (integration)
feature/* (short-lived)
release/* (tagged)
hotfix/* (emergency)
PR workflow
Template enforcement
2 reviewer minimum
Auto-assign (round robin)
Conventional commits
Linked issue required
Code review
AI review (Copilot)
Security team review
Compliance team review
Architecture review
Approval matrix (tier)
Secrets management
Vault (HashiCorp)
Secret scanning (pre-push)
Rotation policy (90d)
Env-specific vaults
Audit log (access)
2 Automated testing & quality gates
Unit testing
Jest / Vitest (frontend)
NestJS testing (backend)
Coverage threshold: 80%
Mutation testing
Snapshot tests
Avg coverage: 84%
Integration testing
API contract tests
Database integration
Third-party mocks
Event bus testing
E2E flows (Playwright)
Performance testing
Load tests (k6)
Stress testing
Latency benchmarks
Memory leak detection
Regression threshold
Linting & formatting
ESLint (strict)
Prettier (enforced)
TypeScript strict mode
Import ordering
Dead code detection
Quality metrics
SonarQube gate: Pass
Complexity score
Duplication < 3%
Tech debt ratio
Maintainability index
3 Security scanning & compliance checks
SAST (static analysis)
Semgrep rules (custom)
CodeQL (GitHub)
Injection detection
Auth bypass patterns
Crypto misuse check
DAST (dynamic)
OWASP ZAP scan
API fuzzing
XSS/SQLi probing
Auth testing
Rate limit validation
Dependency scanning
Snyk (CVE check)
License compliance
Outdated deps alert
Supply chain (SBOM)
Lock file integrity
Container security
Trivy image scan
Base image policy
Non-root enforcement
Read-only filesystem
Distroless preferred
Regulatory compliance
PCI-DSS controls
SOC 2 evidence
GDPR data handling
FFIEC IT guidelines
State MSB requirements
4 Build, containerization & artifact management
Build process
GitHub Actions (runner)
Multi-stage Docker build
Nx affected (incremental)
Build cache (Turborepo)
Parallel execution
Container registry
ECR (AWS)
Image tagging (semver)
Immutable tags
Vulnerability scanning
Retention policy (90d)
Artifact signing
Cosign (sigstore)
SBOM generation
Provenance attestation
Image digest pinning
Supply chain verification
Infrastructure as code
Terraform (AWS)
Helm charts (K8s)
Plan → Review → Apply
State locking (S3)
Drift detection
Environment matrix
dev (auto-deploy)
staging (gate)
uat (manual)
prod-canary (10%)
prod (full rollout)
5 Stage gate approvals & deployment
Approval matrix
Engineering lead
Security officer
Compliance officer
Product owner
On-call SRE
Pre-deploy checks
All tests green
Security scan clean
Compliance gate pass
Performance baseline
Rollback plan documented
Deploy strategy
Blue/green (primary)
Canary (10% → 50% → 100%)
Rolling update (K8s)
Feature flags (LaunchDarkly)
Database migrations (safe)
Post-deploy validation
Smoke tests (auto)
Synthetic monitoring
Error rate < 0.1%
Latency p99 < 500ms
Business metrics check
Rollback & recovery
Auto-rollback (error spike)
Manual rollback (1-click)
DB migration rollback
Incident trigger (PagerDuty)
Post-mortem template
6 Observability, audit & continuous compliance
Monitoring
Datadog APM
Custom dashboards
SLO tracking (99.9%)
Error budgets
Alerting (multi-channel)
Logging
Structured JSON logs
Correlation IDs
Log levels (dynamic)
Retention: 90d (hot)
Archive: 7yr (compliance)
Tracing
OpenTelemetry (OTLP)
Distributed tracing
Service map (auto)
Trace sampling (10%)
Critical path analysis
Compliance audit trail
Deploy audit log
Change approval evidence
Access log (SOC 2)
Config change history
Immutable (append-only)
Continuous compliance
Policy-as-code (OPA)
Drift detection (daily)
Evidence collection (auto)
Auditor dashboards
Certification readiness
Last audit: SOC 2 Type II ✓