tegwick
2be217f51a
Maturity model and schemas for handling necessary privilege escalation across three contexts: OS sudo, Kubernetes RBAC, and CI/CD pipelines. To be applied to the codebase once initial Railiance setup is complete. Files: - privileged-execution-control_v0.2 (standard) - privileged-execution-control-schema_v0.2.1.md (base schema) - privileged-execution-control-schema-os-sudo_v0.2.1.md - privileged-execution-control-schema-kubernetes-rbac_v0.2.1.md - privileged-execution-control-schema-cicd_v0.2.1.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
31 KiB
31 KiB
PecsSchemaCiCd
PECS profile schema for ci-cd environments
Below is a second-layer PECS profile schema for ci-cd environments.
It specializes the generic PECS schema for systems where privileged execution is mediated primarily through:
- CI/CD pipelines
- runners and worker identities
- build/deploy jobs
- OIDC / workload identities
- secret-scoped automation
- gated deployment and infrastructure actions
- pipeline-controlled invocation of privileged entry points in downstream environments
You can store it as pecs-cicd-profile.schema.json.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://example.org/schemas/pecs-cicd-profile.schema.json",
"title": "PECS CI/CD Profile Schema",
"description": "Second-layer PECS profile schema for CI/CD environments where privileged execution is mediated through pipelines, runners, job identities, deployment actions, and automation trust boundaries.",
"allOf": [
{
"$ref": "https://example.org/schemas/pecs.schema.json"
},
{
"type": "object",
"additionalProperties": false,
"required": [
"schemaVersion",
"documentType",
"metadata",
"system",
"privilegedExecutionSurface"
],
"properties": {
"schemaVersion": {
"const": "1.0.0"
},
"documentType": {
"enum": [
"pecs-model",
"pecs-assessment",
"pecs-authorization-artifact",
"pecs-profile",
"pecs-combined"
]
},
"system": {
"$ref": "#/$defs/cicdSystem"
},
"privilegedExecutionSurface": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/cicdPrivilegedEntryPoint"
}
},
"authorizationArtifacts": {
"type": "array",
"items": {
"$ref": "#/$defs/cicdAuthorizationArtifact"
}
},
"implementationMappings": {
"type": "array",
"items": {
"$ref": "#/$defs/cicdImplementationMapping"
}
},
"evidence": {
"type": "array",
"items": {
"$ref": "#/$defs/cicdEvidence"
}
}
}
}
],
"$defs": {
"nonEmptyString": {
"type": "string",
"minLength": 1
},
"identifier": {
"type": "string",
"pattern": "^[A-Za-z0-9][A-Za-z0-9._:-]{0,127}$"
},
"hashValue": {
"type": "string",
"pattern": "^[A-Fa-f0-9]{64,128}$"
},
"uriString": {
"type": "string",
"format": "uri"
},
"cicdSystem": {
"type": "object",
"additionalProperties": false,
"required": [
"name",
"scope",
"environmentTypes",
"cicdProfile"
],
"properties": {
"name": {
"$ref": "#/$defs/nonEmptyString"
},
"description": {
"type": "string"
},
"scope": {
"type": "string"
},
"environmentTypes": {
"type": "array",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"ci-cd",
"os-sudo",
"kubernetes-rbac",
"cloud-iam",
"container-runtime",
"api-admin",
"other"
]
},
"contains": {
"const": "ci-cd"
}
},
"criticality": {
"type": "string",
"enum": [
"low",
"moderate",
"high",
"critical"
]
},
"domainProfile": {
"type": "object"
},
"cicdProfile": {
"$ref": "#/$defs/cicdProfile"
}
}
},
"cicdProfile": {
"type": "object",
"additionalProperties": false,
"required": [
"platformType",
"runnerTrustModel",
"identityModel",
"promotionModel"
],
"properties": {
"platformType": {
"type": "string",
"enum": [
"github-actions",
"gitlab-ci",
"jenkins",
"azure-devops",
"buildkite",
"tekton",
"argo-workflows",
"generic",
"other"
]
},
"runnerTrustModel": {
"type": "string",
"enum": [
"shared-runners",
"dedicated-runners",
"ephemeral-runners",
"self-hosted-static",
"mixed"
]
},
"identityModel": {
"type": "string",
"enum": [
"static-secrets",
"oidc-federated",
"workload-identity",
"mixed"
]
},
"promotionModel": {
"type": "string",
"enum": [
"branch-driven",
"artifact-promotion",
"gitops-promotion",
"manual-approval-gated",
"mixed"
]
},
"repositoryScope": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"environmentsInScope": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"requiredReviewersForPrivilegedChanges": {
"type": "integer",
"minimum": 0
},
"artifactSigningUsed": {
"type": "boolean"
},
"provenanceGenerated": {
"type": "boolean"
},
"policyEngines": {
"type": "array",
"items": {
"type": "string",
"enum": [
"none",
"opa",
"conftest",
"slsa-verifier",
"custom-policy",
"other"
]
},
"default": []
},
"notes": {
"type": "string"
}
}
},
"cicdPrivilegedEntryPoint": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"name",
"kind",
"command",
"privilegeDomain",
"executionContext",
"declaredEffects",
"riskLevel",
"invocationContract",
"cicdControls"
],
"properties": {
"id": {
"$ref": "#/$defs/identifier"
},
"name": {
"$ref": "#/$defs/nonEmptyString"
},
"kind": {
"type": "string",
"enum": [
"pipeline-step",
"job",
"workflow",
"deployment-action",
"release-action",
"gateway",
"secret-bearing-step",
"runner-operation",
"other"
]
},
"path": {
"type": "string"
},
"command": {
"type": "string",
"minLength": 1
},
"privilegeDomain": {
"type": "string",
"enum": [
"ci-cd",
"cloud-admin",
"kubernetes-rbac",
"root",
"sudo",
"api-admin",
"artifact-signing",
"other"
]
},
"executionContext": {
"$ref": "#/$defs/cicdExecutionContext"
},
"declaredEffects": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"riskLevel": {
"type": "string",
"enum": [
"low",
"moderate",
"high",
"critical"
]
},
"integrityBinding": {
"$ref": "#/$defs/cicdIntegrityBinding"
},
"authorizationReference": {
"$ref": "#/$defs/identifier"
},
"invocationContract": {
"$ref": "#/$defs/cicdInvocationContract"
},
"reviews": {
"type": "array",
"items": {
"$ref": "#/$defs/cicdReviewRecord"
},
"default": []
},
"evidenceRefs": {
"type": "array",
"items": {
"$ref": "#/$defs/identifier"
},
"default": []
},
"cicdControls": {
"$ref": "#/$defs/cicdControls"
}
}
},
"cicdExecutionContext": {
"type": "object",
"additionalProperties": false,
"required": [
"environmentType",
"runAs",
"allowedCallers",
"networkAccess",
"runnerClass"
],
"properties": {
"environmentType": {
"type": "string",
"enum": [
"ci-cd",
"os-sudo",
"kubernetes-rbac",
"cloud-iam",
"container-runtime",
"other"
]
},
"allowedCallers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"runAs": {
"type": "string",
"enum": [
"pipeline-identity",
"runner-identity",
"oidc-federated-identity",
"workload-identity",
"service-account",
"user",
"other"
]
},
"runAsIdentity": {
"type": "string"
},
"runnerClass": {
"type": "string",
"enum": [
"shared",
"dedicated",
"ephemeral",
"self-hosted-static",
"other"
]
},
"targetEnvironment": {
"type": "string"
},
"networkAccess": {
"type": "string",
"enum": [
"none",
"restricted",
"full",
"unknown"
]
},
"interactiveAllowed": {
"type": "boolean"
},
"automationAllowed": {
"type": "boolean"
},
"environmentRestrictions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"sourceTrustConstraints": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
}
}
},
"cicdIntegrityBinding": {
"type": "object",
"additionalProperties": false,
"required": [
"type"
],
"properties": {
"type": {
"type": "string",
"enum": [
"none",
"commit-hash",
"artifact-digest",
"signed-artifact",
"provenance-attestation",
"workflow-definition-hash",
"other"
]
},
"algorithm": {
"type": "string",
"enum": [
"sha256",
"sha384",
"sha512",
"git-commit",
"sigstore",
"x509",
"slsa",
"other"
]
},
"digest": {
"$ref": "#/$defs/hashValue"
},
"gitRevision": {
"type": "string"
},
"artifactRef": {
"type": "string"
},
"attestationRef": {
"type": "string"
},
"signatureRef": {
"type": "string"
},
"verifiedBeforeExecution": {
"type": "boolean"
},
"reviewRenewalRequiredOnChange": {
"type": "boolean"
}
}
},
"cicdInvocationContract": {
"type": "object",
"additionalProperties": false,
"required": [
"allowedArgumentsPolicy",
"expectedEffects",
"failureMode",
"privilegeExpectation",
"startupChecks"
],
"properties": {
"allowedArgumentsPolicy": {
"$ref": "#/$defs/cicdArgumentsPolicy"
},
"expectedEffects": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"forbiddenEffects": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"preconditions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"postconditions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"failureMode": {
"type": "string",
"enum": [
"fail-closed",
"best-effort"
]
},
"privilegeExpectation": {
"type": "string",
"enum": [
"must-run-on-approved-runner",
"must-use-approved-federated-identity",
"must-use-reviewed-workflow-definition",
"must-be-approved-for-target-environment",
"must-be-invoked-via-reviewed-pipeline"
]
},
"startupChecks": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"enum": [
"check-source-ref-policy",
"check-runner-class",
"check-target-environment",
"check-required-approvals",
"check-identity-binding",
"check-secret-scope",
"check-artifact-digest",
"check-provenance-attestation",
"check-workflow-definition-hash",
"check-argument-contract",
"check-caller-identity",
"check-concurrency-lock"
]
}
}
}
},
"cicdArgumentsPolicy": {
"type": "object",
"additionalProperties": false,
"required": [
"mode"
],
"properties": {
"mode": {
"type": "string",
"enum": [
"none",
"fixed",
"allowlist",
"schema-validated",
"policy-evaluated"
]
},
"fixedArguments": {
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"allowedPatterns": {
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"jsonSchema": {
"type": "object"
},
"notes": {
"type": "string"
}
}
},
"cicdControls": {
"type": "object",
"additionalProperties": false,
"required": [
"entryPointModel",
"runnerRestricted",
"identityEphemeralWherePossible",
"reviewedWorkflowRequired",
"environmentApprovalRequired",
"secretExposureRisk"
],
"properties": {
"entryPointModel": {
"type": "string",
"enum": [
"direct-pipeline-step",
"reviewed-deployment-gateway",
"release-workflow",
"promotion-pipeline",
"runner-mediated-operation",
"other"
]
},
"runnerRestricted": {
"type": "boolean"
},
"runnerIsolationLevel": {
"type": "string",
"enum": [
"low",
"moderate",
"high",
"ephemeral-strong",
"unknown"
]
},
"identityEphemeralWherePossible": {
"type": "boolean"
},
"reviewedWorkflowRequired": {
"type": "boolean"
},
"workflowPinnedToTrustedRef": {
"type": "boolean"
},
"environmentApprovalRequired": {
"type": "boolean"
},
"requiresTwoPersonReview": {
"type": "boolean"
},
"artifactProvenanceVerified": {
"type": "boolean"
},
"artifactSigningRequired": {
"type": "boolean"
},
"secretExposureRisk": {
"type": "string",
"enum": [
"none",
"low",
"moderate",
"high",
"unknown"
]
},
"runnerEscapeRisk": {
"type": "string",
"enum": [
"none",
"low",
"moderate",
"high",
"unknown"
]
},
"targetPrivilegeAmplificationRisk": {
"type": "string",
"enum": [
"none",
"low",
"moderate",
"high",
"unknown"
]
},
"policyEvaluated": {
"type": "boolean"
},
"requiresDedicatedReview": {
"type": "boolean"
},
"reviewRenewalOnHashChange": {
"type": "boolean"
},
"approvalGateRefs": {
"type": "array",
"items": {
"$ref": "#/$defs/identifier"
},
"default": []
},
"targetBindings": {
"type": "array",
"items": {
"$ref": "#/$defs/targetBinding"
},
"default": []
}
}
},
"targetBinding": {
"type": "object",
"additionalProperties": false,
"required": [
"targetType",
"targetIdentifier",
"bindingMode"
],
"properties": {
"targetType": {
"type": "string",
"enum": [
"os-sudo",
"kubernetes-rbac",
"cloud-iam",
"artifact-signing",
"api-admin",
"other"
]
},
"targetIdentifier": {
"type": "string"
},
"bindingMode": {
"type": "string",
"enum": [
"oidc-federation",
"static-secret",
"approved-kubeconfig",
"reviewed-sudoers-path",
"service-connection",
"other"
]
},
"bindingRef": {
"type": "string"
}
}
},
"cicdReviewRecord": {
"type": "object",
"additionalProperties": false,
"required": [
"reviewer",
"date",
"reviewType",
"decision"
],
"properties": {
"reviewer": {
"$ref": "#/$defs/nonEmptyString"
},
"date": {
"type": "string",
"format": "date"
},
"reviewType": {
"type": "string",
"enum": [
"code-review",
"security-review",
"risk-review",
"renewal-review",
"workflow-review",
"runner-review",
"identity-review",
"exception-review"
]
},
"decision": {
"type": "string",
"enum": [
"approved",
"approved-with-conditions",
"rejected",
"expired"
]
},
"notes": {
"type": "string"
}
}
},
"cicdAuthorizationArtifact": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"type",
"entries"
],
"properties": {
"id": {
"$ref": "#/$defs/identifier"
},
"type": {
"type": "string",
"enum": [
"allowlist",
"signed-approval-manifest",
"policy-bundle",
"attestation-set",
"release-approval-set",
"environment-gate-set"
]
},
"path": {
"type": "string"
},
"signed": {
"type": "boolean"
},
"signatureRef": {
"type": "string"
},
"entries": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/cicdAuthorizationEntry"
}
}
}
},
"cicdAuthorizationEntry": {
"type": "object",
"additionalProperties": false,
"required": [
"entryId",
"privilegedEntryPointId",
"approvalStatus",
"approvedBy"
],
"properties": {
"entryId": {
"$ref": "#/$defs/identifier"
},
"privilegedEntryPointId": {
"$ref": "#/$defs/identifier"
},
"approvalStatus": {
"type": "string",
"enum": [
"approved",
"conditional",
"revoked",
"expired",
"draft"
]
},
"integrityBinding": {
"$ref": "#/$defs/cicdIntegrityBinding"
},
"approvedBy": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"approvedAt": {
"type": "string",
"format": "date-time"
},
"expiresAt": {
"type": "string",
"format": "date-time"
},
"conditions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"pipelineBinding": {
"$ref": "#/$defs/pipelineAuthorizationBinding"
},
"policyRef": {
"type": "string"
}
}
},
"pipelineAuthorizationBinding": {
"type": "object",
"additionalProperties": false,
"required": [
"pipelineRef",
"workflowRef",
"environmentRef"
],
"properties": {
"pipelineRef": {
"type": "string"
},
"workflowRef": {
"type": "string"
},
"jobRef": {
"type": "string"
},
"environmentRef": {
"type": "string"
},
"sourceRefPolicy": {
"type": "string",
"enum": [
"main-only",
"release-branches-only",
"tagged-releases-only",
"reviewed-pr-merge-only",
"custom"
]
},
"runnerClass": {
"type": "string",
"enum": [
"shared",
"dedicated",
"ephemeral",
"self-hosted-static",
"other"
]
},
"identityBindingMode": {
"type": "string",
"enum": [
"oidc-federation",
"workload-identity",
"static-secret",
"service-connection",
"other"
]
}
}
},
"cicdImplementationMapping": {
"type": "object",
"additionalProperties": false,
"required": [
"environmentType",
"pattern",
"tooling"
],
"properties": {
"environmentType": {
"type": "string",
"enum": [
"ci-cd",
"os-sudo",
"kubernetes-rbac",
"cloud-iam",
"other"
]
},
"pattern": {
"type": "string",
"enum": [
"reviewed-privileged-workflow",
"environment-gated-deploy",
"oidc-federated-deployment",
"artifact-promotion-gateway",
"runner-isolated-privileged-step",
"signed-release-pipeline",
"provenance-verified-deploy",
"other"
]
},
"tooling": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"enum": [
"github-actions",
"gitlab-ci",
"jenkins",
"azure-devops",
"buildkite",
"tekton",
"argo-workflows",
"cosign",
"in-toto",
"slsa-verifier",
"opa",
"conftest",
"vault",
"other"
]
}
},
"notes": {
"type": "string"
},
"references": {
"type": "array",
"items": {
"$ref": "#/$defs/uriString"
},
"default": []
}
}
},
"cicdEvidence": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"type",
"description"
],
"properties": {
"id": {
"$ref": "#/$defs/identifier"
},
"type": {
"type": "string",
"enum": [
"file",
"log",
"review-record",
"policy",
"attestation",
"report",
"workflow-definition",
"runner-config",
"environment-gate",
"release-record",
"other"
]
},
"description": {
"type": "string"
},
"path": {
"type": "string"
},
"uri": {
"$ref": "#/$defs/uriString"
},
"collectedAt": {
"type": "string",
"format": "date-time"
},
"collectedBy": {
"type": "string"
},
"hash": {
"$ref": "#/$defs/cicdIntegrityBinding"
}
}
}
}
}
Here is a minimal valid example instance for this profile:
{
"schemaVersion": "1.0.0",
"documentType": "pecs-combined",
"metadata": {
"id": "deploy-pipeline-cicd-profile",
"title": "Deploy Pipeline CI/CD PECS Profile",
"version": "0.1.0",
"status": "draft"
},
"system": {
"name": "deploy-pipeline",
"scope": "Privileged deployment pipeline for production releases using reviewed workflows and OIDC-bound identities.",
"environmentTypes": [
"ci-cd",
"kubernetes-rbac"
],
"criticality": "high",
"cicdProfile": {
"platformType": "github-actions",
"runnerTrustModel": "ephemeral-runners",
"identityModel": "oidc-federated",
"promotionModel": "artifact-promotion",
"repositoryScope": [
"org/platform-deploy"
],
"environmentsInScope": [
"staging",
"production"
],
"requiredReviewersForPrivilegedChanges": 2,
"artifactSigningUsed": true,
"provenanceGenerated": true,
"policyEngines": [
"opa",
"slsa-verifier"
]
}
},
"privilegedExecutionSurface": [
{
"id": "production-deploy-job",
"name": "production-deploy-job",
"kind": "job",
"path": ".github/workflows/deploy.yml",
"command": "deploy production",
"privilegeDomain": "kubernetes-rbac",
"executionContext": {
"environmentType": "ci-cd",
"runAs": "oidc-federated-identity",
"runAsIdentity": "github-actions:org/platform-deploy:production",
"allowedCallers": [
"release-workflow"
],
"runnerClass": "ephemeral",
"targetEnvironment": "production",
"networkAccess": "restricted",
"interactiveAllowed": false,
"automationAllowed": true,
"sourceTrustConstraints": [
"tagged releases only",
"workflow file changes require two approvals"
]
},
"declaredEffects": [
"Deploy approved signed artifact to production cluster",
"Update release state after successful deployment"
],
"riskLevel": "critical",
"integrityBinding": {
"type": "workflow-definition-hash",
"algorithm": "sha256",
"digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677",
"gitRevision": "f4f4d2b1c8d9e0a11223344556677889900aabbc",
"verifiedBeforeExecution": true,
"reviewRenewalRequiredOnChange": true
},
"invocationContract": {
"allowedArgumentsPolicy": {
"mode": "fixed",
"fixedArguments": [
"production"
]
},
"expectedEffects": [
"Deploy only reviewed artifacts to approved production target"
],
"forbiddenEffects": [
"Deploy from unreviewed branch refs",
"Use static long-lived cloud credentials"
],
"failureMode": "fail-closed",
"privilegeExpectation": "must-use-approved-federated-identity",
"startupChecks": [
"check-source-ref-policy",
"check-runner-class",
"check-target-environment",
"check-required-approvals",
"check-identity-binding",
"check-artifact-digest",
"check-provenance-attestation",
"check-workflow-definition-hash"
]
},
"cicdControls": {
"entryPointModel": "reviewed-deployment-gateway",
"runnerRestricted": true,
"runnerIsolationLevel": "ephemeral-strong",
"identityEphemeralWherePossible": true,
"reviewedWorkflowRequired": true,
"workflowPinnedToTrustedRef": true,
"environmentApprovalRequired": true,
"requiresTwoPersonReview": true,
"artifactProvenanceVerified": true,
"artifactSigningRequired": true,
"secretExposureRisk": "low",
"runnerEscapeRisk": "low",
"targetPrivilegeAmplificationRisk": "moderate",
"policyEvaluated": true,
"requiresDedicatedReview": true,
"reviewRenewalOnHashChange": true,
"approvalGateRefs": [
"prod-env-gate"
],
"targetBindings": [
{
"targetType": "kubernetes-rbac",
"targetIdentifier": "prod-cluster/deployer",
"bindingMode": "oidc-federation",
"bindingRef": "github-oidc-prod-deployer"
}
]
}
}
],
"authorizationArtifacts": [
{
"id": "deploy-pipeline-approval-set",
"type": "signed-approval-manifest",
"path": "security/cicd-privileged-allowlist.yaml",
"signed": true,
"signatureRef": "cosign://deploy-pipeline-approval-set",
"entries": [
{
"entryId": "production-deploy-approved",
"privilegedEntryPointId": "production-deploy-job",
"approvalStatus": "approved",
"approvedBy": [
"platform-security",
"release-management"
],
"integrityBinding": {
"type": "workflow-definition-hash",
"algorithm": "sha256",
"digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677",
"gitRevision": "f4f4d2b1c8d9e0a11223344556677889900aabbc",
"verifiedBeforeExecution": true,
"reviewRenewalRequiredOnChange": true
},
"pipelineBinding": {
"pipelineRef": "org/platform-deploy",
"workflowRef": ".github/workflows/deploy.yml",
"jobRef": "deploy-production",
"environmentRef": "production",
"sourceRefPolicy": "tagged-releases-only",
"runnerClass": "ephemeral",
"identityBindingMode": "oidc-federation"
}
}
]
}
]
}
xxx