HIPAA CI/CD overhaul for an AI SaaS vendor.
A returning client. Third engagement after the FedRAMP boundary build and the Kubernetes migration. This time the HIPAA-side CI/CD pipeline was the long pole: legacy build chain, unsigned artifact promotion, manual security scanning, and an audit trail that did not survive its own deploys. We rebuilt the pipeline with signed promotion, OPA admission control on EKS, and audit-grade evidence emission. The team got faster and more compliant in the same engagement.
The boundary was solid. The pipeline shipping into it was not.
The client is the same AI SaaS vendor from the earlier FedRAMP Moderate boundary engagement. After the FedRAMP authorization architecture shipped and the Kubernetes migration brought the production workload onto EKS, the team turned its attention to a problem they had been deferring: the HIPAA-side CI/CD pipeline still ran on patterns inherited from before either of the previous engagements.
The pipeline produced container images, ran tests, and pushed to ECR. It did not sign artifacts. It did not enforce policy at admission time on the EKS cluster. Security scans ran but findings were emailed to a Slack channel that engineers had quietly muted. The audit trail consisted of GitHub Actions logs that aged out at 90 days, an interval shorter than the audit cycle they had to defend.
The team understood the gaps. They had passed audits previously because the FedRAMP environment was strict enough that the HIPAA-side pipeline did not produce failures the auditor could easily surface. But the boundary review had flagged the pipeline as a known risk, and the next HITRUST i1 cycle was on the calendar. The engagement scope was clear: rebuild the pipeline so the HIPAA controls are enforced structurally, not by human discipline, and produce evidence that survives the audit window.
Signed promotion first. Admission control second. Evidence emission everywhere.
Three architectural commitments shaped the rebuild. First, every artifact reaching production must carry a cryptographic provenance chain from source commit through admission. Second, the cluster itself must reject any workload that fails policy, with the rejection logged as evidence. Third, every gate decision, scan result, and admission verdict must emit to a write-once evidence store that outlives the deploy that produced it.
- Cosign Signing With KMS-Backed KeysContainer images signed in the pipeline using Cosign, with signing keys managed in AWS KMS inside the FedRAMP boundary established in the prior engagement. Same key topology, same identity federation, same audit chain. The HIPAA pipeline inherits the FedRAMP infrastructure rather than running parallel to it.
- SLSA Level 3 Provenance AttestationEvery image carries a provenance attestation generated during the build, signed alongside the image, and verifiable by any downstream consumer. The attestation records the source commit, the builder identity, the build inputs, and the policy decisions made during the build. SLSA Level 3 was the target; the architecture would support Level 4 with minor changes if needed.
- OPA Gatekeeper Admission PolicyThe EKS cluster runs OPA Gatekeeper with admission policies that reject any pod whose image does not have a valid Cosign signature traceable to the pipeline signing key. Unsigned images cannot reach production by accident; the cluster refuses them at admission time and the refusal is logged as evidence.
- Security Scanning as Pipeline GatesTrivy and Semgrep scans run as required pipeline stages with explicit pass/fail thresholds. Findings above threshold fail the build. Below-threshold findings are emitted to the evidence stream with deduplication so engineers see actionable items, not noise. The Slack channel that had been muted is no longer the disposition path for findings.
- SBOM Generation With SyftEvery build produces a software bill of materials in SPDX format, signed alongside the image. The SBOM is queryable from the evidence stream, which means questions like "where is log4j 2.14 still running" are answered with a query, not an inventory project.
- Evidence Emission at Every StepEach pipeline stage emits structured JSON to a centralized evidence bucket with Object Lock retention configured for 7 years. The bucket inherits the boundary controls from the FedRAMP work. Auditors get query access via Athena; engineers cannot alter the evidence after emission.
- GitHub Actions Reusable WorkflowsThe HIPAA-pipeline-as-code is published as a reusable workflow that other repos in the org call. The workflow definition is the compliance contract: changing it requires a security review, changing the controls it enforces requires a code review. The pattern compounds across new services that join the platform.
Five engineering primitives, one inherited boundary.
Because the FedRAMP boundary and the Kubernetes platform had already shipped from earlier engagements, this work inherited their identity, KMS topology, logging architecture, and network segmentation. The HIPAA CI/CD overhaul slotted into that infrastructure rather than introducing parallel patterns.
Reusable GitHub Actions workflow
HIPAA-pipeline-as-code published as a versioned reusable workflow. Other repos call it by reference rather than duplicating it. The workflow definition is the compliance contract: it runs the security gates, signs artifacts, enforces SBOM generation, and emits evidence. Changes to the workflow require a security review path. New services adopting the platform inherit the controls by calling the workflow.
Cosign signing infrastructure
Container image signing using Cosign with keys managed in AWS KMS inside the FedRAMP boundary. The signing identity is federated from the existing IdP via OIDC. No long-lived signing credentials anywhere in the pipeline. The signature includes provenance attestation in SLSA Level 3 format.
OPA Gatekeeper admission policies
Admission policies deployed across EKS clusters that reject any image without a valid Cosign signature. Reject events are logged with full context (image, signature attempted, policy that rejected, time, user namespace) to the centralized evidence stream. Engineers cannot bypass the admission control because the cluster refuses to schedule workloads that fail policy.
Centralized evidence pipeline
Same evidence bucket established during the FedRAMP engagement, now extended with HIPAA-specific evidence streams: signed artifact emissions, admission control decisions, security scan results, SBOM publications. Athena query layer with pre-built queries for common audit questions. The Splunk SIEM connection inherited from the FedRAMP work continues to consume the evidence stream through the same cross-account read role, so no new logging infrastructure was introduced.
Audit query interface
Pre-built Athena queries answering the questions HITRUST i1 assessors and HIPAA auditors most commonly ask: which images reached production with valid signatures over a date range, which deployments included new dependencies, which admission events were rejected, which SBOMs contain a specific vulnerable component. The questions resolve in seconds against a queryable evidence stream rather than requiring engineering reconstruction work.
"Hired Lucas to overhaul our CI/CD pipelines in a HIPAA environment and he absolutely delivered. He rebuilt our pipelines with proper artifact promotion, added security scanning, and tightened up our deployment process so we're now both faster and more compliant. His background in healthcare infrastructure showed, he understood the constraints from day one and didn't need lengthy explanations about what we could and couldn't do with PHI. Deployment time dropped significantly and the audit trail is now clean. Highly recommend for anyone doing serious work in regulated industries."Ryan S. · CTO @ AI SaaSVerified Review · HIPAA CI/CD Overhaul · Third engagement
The audit trail survived its own deploys. HITRUST i1 cycle started clean.
Outcomes
The pipeline rebuild closed every gap flagged during the prior FedRAMP boundary review related to CI/CD architecture. HITRUST i1 readiness review for the pipeline-affected control families came back clean. The client's engineering team operates the pipeline directly; Stonebridge remains available on a Managed Compliance Retainer for HIPAA Security Rule 2026 update work.
The team has since adopted the reusable workflow pattern across additional repos joining the platform, which means each new service inherits the controls by calling the workflow rather than rebuilding them. The pattern compounds rather than ages.
Three decisions that compounded over a multi-engagement relationship.
Inheriting the boundary from prior work
The HIPAA pipeline did not introduce parallel infrastructure. The signing keys live in the KMS topology established during the FedRAMP engagement. The evidence bucket is the same one the boundary review created. The identity federation is the same federation path. Multi-engagement client relationships compound when each new engagement extends the prior architecture rather than running alongside it.
Admission control as the enforcement layer
The pipeline can sign artifacts, but signing is only as strong as the verification at the consumption point. OPA Gatekeeper at admission time is what makes the signing meaningful: the cluster refuses to schedule unsigned images, and the refusal is logged. Engineers cannot bypass the control by writing a different pipeline because the cluster refuses what the pipeline does not produce.
Reusable workflow as the compliance contract
Publishing the HIPAA pipeline as a reusable GitHub Actions workflow turns it from a per-repo template into an organization-level compliance artifact. New services inherit the controls by calling the workflow. Workflow changes flow through code review. The pattern compounds with each new service rather than fragmenting across repos. The compliance contract becomes a property of the platform, not a discipline the engineering team has to remember to apply.
Pipeline shipping into HIPAA? Multi-engagement relationships available.
Most discovery calls take 30 minutes. We come back with a written proposal within 48 hours. If HIPAA CI/CD is the work, we can scope from your current pipeline or build forward from your audit timeline.
Book a 30-minute call →Skip the form.
If you would rather email or call directly, the founder picks up.