PecsSchemaCiCd *PECS profile schema for `ci-cd` environments* Below is a **second-layer PECS profile schema for `ci-cd` environments**. It specializes the generic PECS schema for systems where privileged execution is mediated primarily through: * CI/CD pipelines * runners and worker identities * build/deploy jobs * OIDC / workload identities * secret-scoped automation * gated deployment and infrastructure actions * pipeline-controlled invocation of privileged entry points in downstream environments You can store it as `pecs-cicd-profile.schema.json`. ```json { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://example.org/schemas/pecs-cicd-profile.schema.json", "title": "PECS CI/CD Profile Schema", "description": "Second-layer PECS profile schema for CI/CD environments where privileged execution is mediated through pipelines, runners, job identities, deployment actions, and automation trust boundaries.", "allOf": [ { "$ref": "https://example.org/schemas/pecs.schema.json" }, { "type": "object", "additionalProperties": false, "required": [ "schemaVersion", "documentType", "metadata", "system", "privilegedExecutionSurface" ], "properties": { "schemaVersion": { "const": "1.0.0" }, "documentType": { "enum": [ "pecs-model", "pecs-assessment", "pecs-authorization-artifact", "pecs-profile", "pecs-combined" ] }, "system": { "$ref": "#/$defs/cicdSystem" }, "privilegedExecutionSurface": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/cicdPrivilegedEntryPoint" } }, "authorizationArtifacts": { "type": "array", "items": { "$ref": "#/$defs/cicdAuthorizationArtifact" } }, "implementationMappings": { "type": "array", "items": { "$ref": "#/$defs/cicdImplementationMapping" } }, "evidence": { "type": "array", "items": { "$ref": "#/$defs/cicdEvidence" } } } } ], "$defs": { "nonEmptyString": { "type": "string", "minLength": 1 }, "identifier": { "type": "string", "pattern": "^[A-Za-z0-9][A-Za-z0-9._:-]{0,127}$" }, "hashValue": { "type": "string", "pattern": "^[A-Fa-f0-9]{64,128}$" }, "uriString": { "type": "string", "format": "uri" }, "cicdSystem": { "type": "object", "additionalProperties": false, "required": [ "name", "scope", "environmentTypes", "cicdProfile" ], "properties": { "name": { "$ref": "#/$defs/nonEmptyString" }, "description": { "type": "string" }, "scope": { "type": "string" }, "environmentTypes": { "type": "array", "minItems": 1, "uniqueItems": true, "items": { "type": "string", "enum": [ "ci-cd", "os-sudo", "kubernetes-rbac", "cloud-iam", "container-runtime", "api-admin", "other" ] }, "contains": { "const": "ci-cd" } }, "criticality": { "type": "string", "enum": [ "low", "moderate", "high", "critical" ] }, "domainProfile": { "type": "object" }, "cicdProfile": { "$ref": "#/$defs/cicdProfile" } } }, "cicdProfile": { "type": "object", "additionalProperties": false, "required": [ "platformType", "runnerTrustModel", "identityModel", "promotionModel" ], "properties": { "platformType": { "type": "string", "enum": [ "github-actions", "gitlab-ci", "jenkins", "azure-devops", "buildkite", "tekton", "argo-workflows", "generic", "other" ] }, "runnerTrustModel": { "type": "string", "enum": [ "shared-runners", "dedicated-runners", "ephemeral-runners", "self-hosted-static", "mixed" ] }, "identityModel": { "type": "string", "enum": [ "static-secrets", "oidc-federated", "workload-identity", "mixed" ] }, "promotionModel": { "type": "string", "enum": [ "branch-driven", "artifact-promotion", "gitops-promotion", "manual-approval-gated", "mixed" ] }, "repositoryScope": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "environmentsInScope": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "requiredReviewersForPrivilegedChanges": { "type": "integer", "minimum": 0 }, "artifactSigningUsed": { "type": "boolean" }, "provenanceGenerated": { "type": "boolean" }, "policyEngines": { "type": "array", "items": { "type": "string", "enum": [ "none", "opa", "conftest", "slsa-verifier", "custom-policy", "other" ] }, "default": [] }, "notes": { "type": "string" } } }, "cicdPrivilegedEntryPoint": { "type": "object", "additionalProperties": false, "required": [ "id", "name", "kind", "command", "privilegeDomain", "executionContext", "declaredEffects", "riskLevel", "invocationContract", "cicdControls" ], "properties": { "id": { "$ref": "#/$defs/identifier" }, "name": { "$ref": "#/$defs/nonEmptyString" }, "kind": { "type": "string", "enum": [ "pipeline-step", "job", "workflow", "deployment-action", "release-action", "gateway", "secret-bearing-step", "runner-operation", "other" ] }, "path": { "type": "string" }, "command": { "type": "string", "minLength": 1 }, "privilegeDomain": { "type": "string", "enum": [ "ci-cd", "cloud-admin", "kubernetes-rbac", "root", "sudo", "api-admin", "artifact-signing", "other" ] }, "executionContext": { "$ref": "#/$defs/cicdExecutionContext" }, "declaredEffects": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "riskLevel": { "type": "string", "enum": [ "low", "moderate", "high", "critical" ] }, "integrityBinding": { "$ref": "#/$defs/cicdIntegrityBinding" }, "authorizationReference": { "$ref": "#/$defs/identifier" }, "invocationContract": { "$ref": "#/$defs/cicdInvocationContract" }, "reviews": { "type": "array", "items": { "$ref": "#/$defs/cicdReviewRecord" }, "default": [] }, "evidenceRefs": { "type": "array", "items": { "$ref": "#/$defs/identifier" }, "default": [] }, "cicdControls": { "$ref": "#/$defs/cicdControls" } } }, "cicdExecutionContext": { "type": "object", "additionalProperties": false, "required": [ "environmentType", "runAs", "allowedCallers", "networkAccess", "runnerClass" ], "properties": { "environmentType": { "type": "string", "enum": [ "ci-cd", "os-sudo", "kubernetes-rbac", "cloud-iam", "container-runtime", "other" ] }, "allowedCallers": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "runAs": { "type": "string", "enum": [ "pipeline-identity", "runner-identity", "oidc-federated-identity", "workload-identity", "service-account", "user", "other" ] }, "runAsIdentity": { "type": "string" }, "runnerClass": { "type": "string", "enum": [ "shared", "dedicated", "ephemeral", "self-hosted-static", "other" ] }, "targetEnvironment": { "type": "string" }, "networkAccess": { "type": "string", "enum": [ "none", "restricted", "full", "unknown" ] }, "interactiveAllowed": { "type": "boolean" }, "automationAllowed": { "type": "boolean" }, "environmentRestrictions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "sourceTrustConstraints": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] } } }, "cicdIntegrityBinding": { "type": "object", "additionalProperties": false, "required": [ "type" ], "properties": { "type": { "type": "string", "enum": [ "none", "commit-hash", "artifact-digest", "signed-artifact", "provenance-attestation", "workflow-definition-hash", "other" ] }, "algorithm": { "type": "string", "enum": [ "sha256", "sha384", "sha512", "git-commit", "sigstore", "x509", "slsa", "other" ] }, "digest": { "$ref": "#/$defs/hashValue" }, "gitRevision": { "type": "string" }, "artifactRef": { "type": "string" }, "attestationRef": { "type": "string" }, "signatureRef": { "type": "string" }, "verifiedBeforeExecution": { "type": "boolean" }, "reviewRenewalRequiredOnChange": { "type": "boolean" } } }, "cicdInvocationContract": { "type": "object", "additionalProperties": false, "required": [ "allowedArgumentsPolicy", "expectedEffects", "failureMode", "privilegeExpectation", "startupChecks" ], "properties": { "allowedArgumentsPolicy": { "$ref": "#/$defs/cicdArgumentsPolicy" }, "expectedEffects": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "forbiddenEffects": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "preconditions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "postconditions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "failureMode": { "type": "string", "enum": [ "fail-closed", "best-effort" ] }, "privilegeExpectation": { "type": "string", "enum": [ "must-run-on-approved-runner", "must-use-approved-federated-identity", "must-use-reviewed-workflow-definition", "must-be-approved-for-target-environment", "must-be-invoked-via-reviewed-pipeline" ] }, "startupChecks": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "check-source-ref-policy", "check-runner-class", "check-target-environment", "check-required-approvals", "check-identity-binding", "check-secret-scope", "check-artifact-digest", "check-provenance-attestation", "check-workflow-definition-hash", "check-argument-contract", "check-caller-identity", "check-concurrency-lock" ] } } } }, "cicdArgumentsPolicy": { "type": "object", "additionalProperties": false, "required": [ "mode" ], "properties": { "mode": { "type": "string", "enum": [ "none", "fixed", "allowlist", "schema-validated", "policy-evaluated" ] }, "fixedArguments": { "type": "array", "items": { "type": "string" }, "default": [] }, "allowedPatterns": { "type": "array", "items": { "type": "string" }, "default": [] }, "jsonSchema": { "type": "object" }, "notes": { "type": "string" } } }, "cicdControls": { "type": "object", "additionalProperties": false, "required": [ "entryPointModel", "runnerRestricted", "identityEphemeralWherePossible", "reviewedWorkflowRequired", "environmentApprovalRequired", "secretExposureRisk" ], "properties": { "entryPointModel": { "type": "string", "enum": [ "direct-pipeline-step", "reviewed-deployment-gateway", "release-workflow", "promotion-pipeline", "runner-mediated-operation", "other" ] }, "runnerRestricted": { "type": "boolean" }, "runnerIsolationLevel": { "type": "string", "enum": [ "low", "moderate", "high", "ephemeral-strong", "unknown" ] }, "identityEphemeralWherePossible": { "type": "boolean" }, "reviewedWorkflowRequired": { "type": "boolean" }, "workflowPinnedToTrustedRef": { "type": "boolean" }, "environmentApprovalRequired": { "type": "boolean" }, "requiresTwoPersonReview": { "type": "boolean" }, "artifactProvenanceVerified": { "type": "boolean" }, "artifactSigningRequired": { "type": "boolean" }, "secretExposureRisk": { "type": "string", "enum": [ "none", "low", "moderate", "high", "unknown" ] }, "runnerEscapeRisk": { "type": "string", "enum": [ "none", "low", "moderate", "high", "unknown" ] }, "targetPrivilegeAmplificationRisk": { "type": "string", "enum": [ "none", "low", "moderate", "high", "unknown" ] }, "policyEvaluated": { "type": "boolean" }, "requiresDedicatedReview": { "type": "boolean" }, "reviewRenewalOnHashChange": { "type": "boolean" }, "approvalGateRefs": { "type": "array", "items": { "$ref": "#/$defs/identifier" }, "default": [] }, "targetBindings": { "type": "array", "items": { "$ref": "#/$defs/targetBinding" }, "default": [] } } }, "targetBinding": { "type": "object", "additionalProperties": false, "required": [ "targetType", "targetIdentifier", "bindingMode" ], "properties": { "targetType": { "type": "string", "enum": [ "os-sudo", "kubernetes-rbac", "cloud-iam", "artifact-signing", "api-admin", "other" ] }, "targetIdentifier": { "type": "string" }, "bindingMode": { "type": "string", "enum": [ "oidc-federation", "static-secret", "approved-kubeconfig", "reviewed-sudoers-path", "service-connection", "other" ] }, "bindingRef": { "type": "string" } } }, "cicdReviewRecord": { "type": "object", "additionalProperties": false, "required": [ "reviewer", "date", "reviewType", "decision" ], "properties": { "reviewer": { "$ref": "#/$defs/nonEmptyString" }, "date": { "type": "string", "format": "date" }, "reviewType": { "type": "string", "enum": [ "code-review", "security-review", "risk-review", "renewal-review", "workflow-review", "runner-review", "identity-review", "exception-review" ] }, "decision": { "type": "string", "enum": [ "approved", "approved-with-conditions", "rejected", "expired" ] }, "notes": { "type": "string" } } }, "cicdAuthorizationArtifact": { "type": "object", "additionalProperties": false, "required": [ "id", "type", "entries" ], "properties": { "id": { "$ref": "#/$defs/identifier" }, "type": { "type": "string", "enum": [ "allowlist", "signed-approval-manifest", "policy-bundle", "attestation-set", "release-approval-set", "environment-gate-set" ] }, "path": { "type": "string" }, "signed": { "type": "boolean" }, "signatureRef": { "type": "string" }, "entries": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/cicdAuthorizationEntry" } } } }, "cicdAuthorizationEntry": { "type": "object", "additionalProperties": false, "required": [ "entryId", "privilegedEntryPointId", "approvalStatus", "approvedBy" ], "properties": { "entryId": { "$ref": "#/$defs/identifier" }, "privilegedEntryPointId": { "$ref": "#/$defs/identifier" }, "approvalStatus": { "type": "string", "enum": [ "approved", "conditional", "revoked", "expired", "draft" ] }, "integrityBinding": { "$ref": "#/$defs/cicdIntegrityBinding" }, "approvedBy": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "approvedAt": { "type": "string", "format": "date-time" }, "expiresAt": { "type": "string", "format": "date-time" }, "conditions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "pipelineBinding": { "$ref": "#/$defs/pipelineAuthorizationBinding" }, "policyRef": { "type": "string" } } }, "pipelineAuthorizationBinding": { "type": "object", "additionalProperties": false, "required": [ "pipelineRef", "workflowRef", "environmentRef" ], "properties": { "pipelineRef": { "type": "string" }, "workflowRef": { "type": "string" }, "jobRef": { "type": "string" }, "environmentRef": { "type": "string" }, "sourceRefPolicy": { "type": "string", "enum": [ "main-only", "release-branches-only", "tagged-releases-only", "reviewed-pr-merge-only", "custom" ] }, "runnerClass": { "type": "string", "enum": [ "shared", "dedicated", "ephemeral", "self-hosted-static", "other" ] }, "identityBindingMode": { "type": "string", "enum": [ "oidc-federation", "workload-identity", "static-secret", "service-connection", "other" ] } } }, "cicdImplementationMapping": { "type": "object", "additionalProperties": false, "required": [ "environmentType", "pattern", "tooling" ], "properties": { "environmentType": { "type": "string", "enum": [ "ci-cd", "os-sudo", "kubernetes-rbac", "cloud-iam", "other" ] }, "pattern": { "type": "string", "enum": [ "reviewed-privileged-workflow", "environment-gated-deploy", "oidc-federated-deployment", "artifact-promotion-gateway", "runner-isolated-privileged-step", "signed-release-pipeline", "provenance-verified-deploy", "other" ] }, "tooling": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "github-actions", "gitlab-ci", "jenkins", "azure-devops", "buildkite", "tekton", "argo-workflows", "cosign", "in-toto", "slsa-verifier", "opa", "conftest", "vault", "other" ] } }, "notes": { "type": "string" }, "references": { "type": "array", "items": { "$ref": "#/$defs/uriString" }, "default": [] } } }, "cicdEvidence": { "type": "object", "additionalProperties": false, "required": [ "id", "type", "description" ], "properties": { "id": { "$ref": "#/$defs/identifier" }, "type": { "type": "string", "enum": [ "file", "log", "review-record", "policy", "attestation", "report", "workflow-definition", "runner-config", "environment-gate", "release-record", "other" ] }, "description": { "type": "string" }, "path": { "type": "string" }, "uri": { "$ref": "#/$defs/uriString" }, "collectedAt": { "type": "string", "format": "date-time" }, "collectedBy": { "type": "string" }, "hash": { "$ref": "#/$defs/cicdIntegrityBinding" } } } } } ``` Here is a **minimal valid example instance** for this profile: ```json { "schemaVersion": "1.0.0", "documentType": "pecs-combined", "metadata": { "id": "deploy-pipeline-cicd-profile", "title": "Deploy Pipeline CI/CD PECS Profile", "version": "0.1.0", "status": "draft" }, "system": { "name": "deploy-pipeline", "scope": "Privileged deployment pipeline for production releases using reviewed workflows and OIDC-bound identities.", "environmentTypes": [ "ci-cd", "kubernetes-rbac" ], "criticality": "high", "cicdProfile": { "platformType": "github-actions", "runnerTrustModel": "ephemeral-runners", "identityModel": "oidc-federated", "promotionModel": "artifact-promotion", "repositoryScope": [ "org/platform-deploy" ], "environmentsInScope": [ "staging", "production" ], "requiredReviewersForPrivilegedChanges": 2, "artifactSigningUsed": true, "provenanceGenerated": true, "policyEngines": [ "opa", "slsa-verifier" ] } }, "privilegedExecutionSurface": [ { "id": "production-deploy-job", "name": "production-deploy-job", "kind": "job", "path": ".github/workflows/deploy.yml", "command": "deploy production", "privilegeDomain": "kubernetes-rbac", "executionContext": { "environmentType": "ci-cd", "runAs": "oidc-federated-identity", "runAsIdentity": "github-actions:org/platform-deploy:production", "allowedCallers": [ "release-workflow" ], "runnerClass": "ephemeral", "targetEnvironment": "production", "networkAccess": "restricted", "interactiveAllowed": false, "automationAllowed": true, "sourceTrustConstraints": [ "tagged releases only", "workflow file changes require two approvals" ] }, "declaredEffects": [ "Deploy approved signed artifact to production cluster", "Update release state after successful deployment" ], "riskLevel": "critical", "integrityBinding": { "type": "workflow-definition-hash", "algorithm": "sha256", "digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677", "gitRevision": "f4f4d2b1c8d9e0a11223344556677889900aabbc", "verifiedBeforeExecution": true, "reviewRenewalRequiredOnChange": true }, "invocationContract": { "allowedArgumentsPolicy": { "mode": "fixed", "fixedArguments": [ "production" ] }, "expectedEffects": [ "Deploy only reviewed artifacts to approved production target" ], "forbiddenEffects": [ "Deploy from unreviewed branch refs", "Use static long-lived cloud credentials" ], "failureMode": "fail-closed", "privilegeExpectation": "must-use-approved-federated-identity", "startupChecks": [ "check-source-ref-policy", "check-runner-class", "check-target-environment", "check-required-approvals", "check-identity-binding", "check-artifact-digest", "check-provenance-attestation", "check-workflow-definition-hash" ] }, "cicdControls": { "entryPointModel": "reviewed-deployment-gateway", "runnerRestricted": true, "runnerIsolationLevel": "ephemeral-strong", "identityEphemeralWherePossible": true, "reviewedWorkflowRequired": true, "workflowPinnedToTrustedRef": true, "environmentApprovalRequired": true, "requiresTwoPersonReview": true, "artifactProvenanceVerified": true, "artifactSigningRequired": true, "secretExposureRisk": "low", "runnerEscapeRisk": "low", "targetPrivilegeAmplificationRisk": "moderate", "policyEvaluated": true, "requiresDedicatedReview": true, "reviewRenewalOnHashChange": true, "approvalGateRefs": [ "prod-env-gate" ], "targetBindings": [ { "targetType": "kubernetes-rbac", "targetIdentifier": "prod-cluster/deployer", "bindingMode": "oidc-federation", "bindingRef": "github-oidc-prod-deployer" } ] } } ], "authorizationArtifacts": [ { "id": "deploy-pipeline-approval-set", "type": "signed-approval-manifest", "path": "security/cicd-privileged-allowlist.yaml", "signed": true, "signatureRef": "cosign://deploy-pipeline-approval-set", "entries": [ { "entryId": "production-deploy-approved", "privilegedEntryPointId": "production-deploy-job", "approvalStatus": "approved", "approvedBy": [ "platform-security", "release-management" ], "integrityBinding": { "type": "workflow-definition-hash", "algorithm": "sha256", "digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677", "gitRevision": "f4f4d2b1c8d9e0a11223344556677889900aabbc", "verifiedBeforeExecution": true, "reviewRenewalRequiredOnChange": true }, "pipelineBinding": { "pipelineRef": "org/platform-deploy", "workflowRef": ".github/workflows/deploy.yml", "jobRef": "deploy-production", "environmentRef": "production", "sourceRefPolicy": "tagged-releases-only", "runnerClass": "ephemeral", "identityBindingMode": "oidc-federation" } } ] } ] } ``` xxx