HIPAA-aligned multi-stage CI/CD pipeline for a healthcare SaaS.
How we replaced a monolithic GitLab pipeline with a parent/child architecture, layered Ansible-driven HIPAA control validation across 32+ hosts, and built audit-ready evidence emission into every deploy stage. Deployment time dropped 70%. The next audit cycle stopped being a reconstruction project.
Every release was a manual evidence collection exercise. The pipeline was the bottleneck.
The client is a healthcare SaaS company running production workloads across a fleet of Linux hosts on AWS. The engineering team had grown faster than the pipeline architecture had evolved. What started as a single-stage GitLab job for a small team had been extended, patched, and worked around as the team scaled past the patterns the original pipeline was built for.
The result was familiar. Each deploy took 30 to 45 minutes of mostly-serial execution. Engineers had developed informal habits to work around the slowness, including pushing partial changes outside the pipeline when the timeline got tight. Audit windows were preceded by three-week sprints in which the engineering team manually compiled deployment logs, screenshots of access reviews, and approval chains into PDFs that described what the pipeline was supposed to be doing.
The work was technically passing HIPAA audits, but the audit was a snapshot of a system the auditor could not independently verify. The cost was paid in two places: the velocity loss every engineer absorbed on every deploy, and the three-week scramble before each assessment. The internal team knew the architecture was wrong. They needed engineering hands to redesign it without slowing the product roadmap that the audits were eating into.
Parent/child first. Evidence emission second. Ansible control plane third.
The architectural redesign moved in three layers. The first was decomposing the monolithic pipeline into parent/child stages so that work could parallelize and so the audit boundary of each stage was provable. The second was building structured evidence emission into every stage as a property of how it ran, not as an after-the-fact compilation task. The third was layering an Ansible control plane across the host fleet so that HIPAA control state could be continuously validated, not reviewed quarterly.
- Parent/Child Pipeline DecompositionThe monolithic
.gitlab-ci.ymlwas decomposed into a parent pipeline orchestrating four child pipelines: Validate, Build, Security, and Deploy. Each child has explicit inputs, outputs, and audit boundaries. The parent runs in < 60 seconds. Children execute in parallel where dependencies allow, serially where the audit chain requires it. - Evidence Emission as a Pipeline PropertyEvery stage emits structured evidence (JSON) to a centralized evidence bucket with S3 Object Lock retention configured for 7 years. Each emission is signed, includes the commit SHA, the runner identity, the policy decisions made during that stage, and the artifacts produced. Auditors query evidence directly via Athena instead of receiving PDFs.
- Ansible-Driven HIPAA Control ValidationThirty-two-plus production hosts brought under a single Ansible control plane. Roles encode HIPAA Security Rule technical safeguards: encryption-at-rest verification, audit log shipping to the centralized SIEM, MFA enforcement on privileged accounts, patch level validation, and TLS configuration checks. The control plane runs daily, not quarterly.
- Signed Artifact PromotionContainer images are built once in the Build stage, signed with the pipeline's signing key, and promoted across environments via signature verification. The same artifact that passes the security gate is the artifact that reaches production. The audit chain is cryptographic, not procedural.
- Policy Gates at Plan TimeOPA policies evaluated during the Validate stage reject non-HIPAA-aligned configurations before any infrastructure is touched. Non-encrypted volumes, public IP allocations to PHI-handling subnets, and untagged resources all fail at plan time with structured error output captured as evidence.
- Drift as a Build FailureDaily Ansible runs that detect configuration drift emit drift evidence to the same bucket the pipelines write to. Drift events trigger pipeline failures the next time the affected service deploys. Configuration drift is treated as a build failure, not a notification engineers learn to ignore.
- SIEM Integration Read-OnlyThe centralized evidence bucket is the source of truth. The SIEM (Splunk) integrates read-only via cross-account IAM. Engineers cannot alter evidence after emission. The evidence stream survives the audit because there is no point at which a human could have tampered with it.
Five pipeline artifacts, one operating model.
The engagement delivered the engineering primitives the client team needed to keep operating the pipeline after handoff. Every artifact ships with documentation written for the engineer who would inherit it, not the auditor who would review it.
Multi-stage GitLab pipeline
Parent pipeline orchestrating four child pipelines, each with explicit inputs, outputs, and audit boundaries. Total pipeline execution dropped from 30 to 45 minutes down to under 10 minutes for typical deploys. Children execute in parallel where the dependency graph allows, serially where the audit chain requires explicit progression. Failure isolation is per-stage rather than per-pipeline.
Ansible control role library
Roles covering HIPAA Security Rule technical safeguards across the 32+ production hosts: encryption-at-rest verification, audit log shipping, MFA enforcement, patch level validation, TLS configuration, and centralized authentication. Each role ships with a control narrative mapping the Ansible tasks to the specific §164.312 controls they satisfy. The control plane runs daily and emits drift evidence on every divergence.
Centralized evidence pipeline
S3 evidence bucket with Object Lock retention configured for 7 years. Structured JSON emissions from every pipeline stage, every Ansible run, and every policy decision. Athena query interface for ad-hoc audit queries. SIEM integration read-only via cross-account IAM. The evidence stream is the source of truth for compliance posture.
Signed artifact promotion model
Container images built once, signed with a pipeline signing key managed in AWS KMS, and promoted across environments via signature verification. Notary v2 + Cosign as the signing layer. The same artifact that passes security gates is the artifact that reaches production, with cryptographic proof of the chain. Image admission controllers reject any image without a valid signature.
Audit query interface
Athena-backed query layer over the evidence bucket. Pre-built queries answer the questions auditors ask: who deployed what to which environment, what policy decisions were made on each commit, which hosts were out of compliance on a given date. The questions that used to take three weeks to answer now resolve in under 30 seconds.
"The pipeline rebuild changed how we think about audits. Evidence is now a side effect of normal operations instead of something we manually assemble before each assessment. The next audit was the first one where we didn't have to schedule a dedicated three-week sprint."Healthcare SaaS · Engineering LeadVerified engagement · HIPAA pipeline rebuild
Velocity recovered. Audit became a query.
Outcomes
The first audit cycle after the rebuild required no dedicated reconstruction sprint. Auditors received query access to the evidence stream instead of a binder of screenshots. Engineering velocity recovered immediately: deployment frequency increased and the off-pipeline workarounds that the original architecture had encouraged stopped being necessary.
The Ansible control plane has continued running daily since handoff. Configuration drift events are now detected within 24 hours instead of at the next audit. The client engineering team operates the pipeline independently; Stonebridge remains available on a Managed Compliance Retainer for the HIPAA Security Rule 2026 update work.
Three decisions that compounded over the engagement.
Decomposing the pipeline before optimizing it
The fastest pipeline is the one that does less work. The parent/child decomposition was the structural change that made every subsequent optimization possible. Trying to speed up the monolithic pipeline would have produced a 20% improvement. Decomposing it produced 70%, with audit-boundary improvements as a side effect.
Evidence as a pipeline property, not a deliverable
Every stage emits evidence the moment it runs. The cost of emission is amortized into normal operation. The alternative, which the client had inherited, treats evidence as something engineers assemble at audit time. The cost there is paid in three-week sprints every audit cycle, every year, forever. The architectural choice was a one-time cost. The reconstruction model is a recurring tax.
Ansible as the control plane, not the deploy tool
Most teams use Ansible to deploy applications and then write separate tooling for compliance validation. The engagement used Ansible for both, with the same roles producing the same evidence stream regardless of whether they were running as part of a deploy or as part of the daily control validation. The same code that puts the system into the desired state is the code that verifies the system is in the desired state. There is no gap between the deploy tool and the audit tool.
Shipping into HIPAA? Most pipelines have these gaps.
Most discovery calls take 30 minutes. We come back with a written proposal within 48 hours. If HIPAA CI/CD is the work, we can scope from your current pipeline or build forward from your audit timeline.
Book a 30-minute call →Skip the form.
If you would rather email or call directly, the founder picks up.