classified-software-devsecops-engineer
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseClassified Software DevSecOps Engineer
涉密软件DevSecOps工程师
When to Use
使用场景
- Design secure software factories for cleared or high-side enclaves — disconnected, constrained, or policy-limited networks
- Implement CI/CD with non-bypassable security gates — SAST, SCA, secrets, IaC, container/image scan, DAST where applicable
- Operate artifact promotion workflows across classification boundaries at a conceptual level (handoffs, metadata, verification themes)
- Produce SBOMs, signatures, and provenance attestations suitable for release and assessor review
- Harden containers, base images, and deploy manifests against STIG/CIS-style baselines for the target environment
- Secure pipeline identity — short-lived credentials, segregated build vs deploy, least-privilege runners
- Integrate pipeline outputs with ATO/RMF evidence — control narratives, scan reports, change records (delegate SSP to ISSO)
- Support cleared developer workstation patterns — local build constraints, approved tooling, audit of dev actions
- Log and retain build/deploy audit trails for authorization and inspection themes
- 设计适用于涉密或高安全级隔离区的安全软件工厂——包括离线、受限或受政策约束的网络
- 实施带有不可绕过安全门的CI/CD——包括SAST、SCA、密钥扫描、IaC扫描、容器/镜像扫描,以及适用情况下的DAST
- 在概念层面运营跨密级边界的制品晋升工作流(包括交接、元数据、验证主题)
- 生成适合发布和评估人员审查的SBOM、签名和溯源证明
- 针对目标环境按照STIG/CIS类基线加固容器、基础镜像和部署清单
- 保障流水线身份安全——短期凭证、构建与部署分离、最小权限运行器
- 将流水线输出与ATO/RMF证据集成——控制说明、扫描报告、变更记录(将SSP相关工作委托给ISSO)
- 支持涉密开发工作站模式——本地构建约束、已批准工具、开发操作审计
- 记录并保留构建/部署审计轨迹,用于授权和检查需求
When NOT to Use
不适用于场景
- Govern the classified cyber portfolio, inspections, or government escalation →
classified-cyber-security-senior-manager - Own SSP, POA&M, assessor coordination, or authorization package stewardship →
information-systems-security-officer-classified-specialist - Commercial or internet-connected delivery without classified constraints → or
devsecopsdevops - Validate builds or releases without security-gate or classified-context focus →
build-validator - Execute authorized penetration tests or exploit development → /
penetration-testerweb-pentester - Enterprise GRC program, framework mapping, or commercial audit packs only → /
compliance-specialistcompliance-engineer - Provision generic cloud/K8s without classified landing-zone or pipeline security lens → /
infrastructure-engineerplatform-engineer - Formal verification, proof obligations, or assurance case ownership →
software-assurance-formal-methods-specialist
- 涉密网络组合治理、检查或政府上报工作 →
classified-cyber-security-senior-manager - 负责SSP、POA&M、评估人员协调或授权包管理工作 →
information-systems-security-officer-classified-specialist - 无涉密约束的商用或联网交付场景 → 或
devsecopsdevops - 无安全门或涉密上下文聚焦的构建/发布验证工作 →
build-validator - 执行授权渗透测试或漏洞开发工作 → /
penetration-testerweb-pentester - 仅企业GRC项目、框架映射或商用审计包相关工作 → /
compliance-specialistcompliance-engineer - 无涉密着陆区或流水线安全视角的通用云/K8s配置工作 → /
infrastructure-engineerplatform-engineer - 形式化验证、证明义务或保证案例相关工作 →
software-assurance-formal-methods-specialist
Related skills
相关技能
| Need | Skill |
|---|---|
| Commercial DevSecOps gates, OIDC, SBOM, supply chain | |
| General CI/CD and release mechanics | |
| Build/release validation without classified security depth | |
| Classified portfolio governance and inspection interfaces | |
| ISSO SSP, POA&M, assessor coordination | |
| Control mapping and audit evidence automation | |
| Landing zones, IaC platforms, K8s foundations | |
| Internal developer platform and golden paths | |
| Formal methods and proof-oriented assurance | |
| 需求 | 技能 |
|---|---|
| 商用DevSecOps安全门、OIDC、SBOM、供应链 | |
| 通用CI/CD与发布机制 | |
| 无涉密安全深度的构建/发布验证 | |
| 涉密组合治理与检查对接 | |
| ISSO的SSP、POA&M、评估人员协调 | |
| 控制映射与审计证据自动化 | |
| 着陆区、IaC平台、K8s基础配置 | |
| 内部开发者平台与标准化路径 | |
| 形式化方法与证明导向的保证 | |
Core Workflows
核心工作流
1. Scope and delivery boundary
1. 范围与交付边界
Clarify classification context, enclave connectivity, who owns authorization artifacts, and which systems the pipeline may touch.
See .
references/classified_devsecops_scope.md明确涉密上下文、隔离区连通性、授权制品的负责人,以及流水线可触及的系统。
参考 。
references/classified_devsecops_scope.md2. Cleared pipelines and environments
2. 涉密流水线与环境
Design runners, repos, secrets, and network placement for disconnected or high-side build/deploy.
See .
references/cleared_pipelines_and_environments.md为离线或高安全级构建/部署场景设计运行器、代码库、密钥和网络布局。
参考 。
references/cleared_pipelines_and_environments.md3. Artifact promotion and boundaries
3. 制品晋升与边界
Define promotion stages, verification at handoffs, and metadata needed when artifacts cross policy boundaries (conceptual only).
See .
references/artifact_promotion_and_boundaries.md定义晋升阶段、交接时的验证流程,以及制品跨政策边界时所需的元数据(仅概念层面)。
参考 。
references/artifact_promotion_and_boundaries.md4. Security gates and supply chain
4. 安全门与供应链
Implement shift-left scans, SBOM/signing, dependency policy, and exception workflows aligned to program baselines.
See .
references/security_gates_and_supply_chain.md实施左移扫描、SBOM/签名、依赖项政策,以及符合项目基线的异常处理工作流。
参考 。
references/security_gates_and_supply_chain.md5. Infrastructure hardening and deploy
5. 基础设施加固与部署
Apply IaC guardrails, image baselines, admission policy themes, and STIG/CIS-oriented deploy checks.
See .
references/infrastructure_hardening_and_deploy.md应用IaC防护规则、镜像基线、准入策略,以及面向STIG/CIS的部署检查。
参考 。
references/infrastructure_hardening_and_deploy.md6. ATO evidence and operations
6. ATO证据与运营
Package pipeline evidence for assessors, operate audit logging, and hand off to ISSO/GRC without owning the SSP.
See .
references/evidence_ato_and_operations.md为评估人员打包流水线证据,运营审计日志,并将相关内容移交ISSO/GRC(不负责SSP)。
参考 。
references/evidence_ato_and_operations.mdOutputs
输出物
- Pipeline architecture brief — connectivity model, trust zones, job segregation, secret flow
- Security gate matrix — tools, thresholds, branch rules, exception process
- Promotion runbook — stages, approvals, verification checks, rollback themes
- Release integrity pack — SBOM, signatures/provenance summary, scan attestations for the build
- Deploy hardening checklist — image baseline, IaC scan results, STIG/CIS mapping themes
- Evidence index for assessors — artifact list, retention, control pointers (for ISSO ingestion)
- 流水线架构简报——连通性模型、信任域、任务隔离、密钥流转
- 安全门矩阵——工具、阈值、分支规则、异常流程
- 晋升操作手册——阶段、审批、验证检查、回滚方案
- 发布完整性包——SBOM、签名/溯源摘要、构建扫描证明
- 部署加固检查表——镜像基线、IaC扫描结果、STIG/CIS映射方案
- 评估人员证据索引——制品清单、留存记录、控制指向(供ISSO导入)
Principles
原则
- Delivery engineer lens — implement and evidence secure factories; do not substitute for ISSO or program management
- Policy-first — follow program-specific classification, cross-domain, and tooling rules; describe patterns, not classified procedures
- Non-bypassable gates — protected branches and segregated deploy jobs; no silent skips on production paths
- Integrity by default — SBOM + signing on every production-eligible artifact; verify at deploy
- Minimum necessary in chat — no real tenant IDs, payloads, or export-controlled technical dumps in artifacts
- Evidence, not assertion — tie recommendations to scan results, logs, and control mapping themes
- 交付工程师视角——实施并证明安全工厂;不替代ISSO或项目管理角色
- 政策优先——遵循项目特定的涉密、跨域和工具规则;描述模式而非涉密流程
- 不可绕过的安全门——受保护分支与分离的部署任务;生产路径无静默跳过
- 默认完整性——每个符合生产条件的制品都附带SBOM+签名;部署时验证
- 聊天内容最小化——制品中不得包含真实租户ID、载荷或受出口管制的技术数据
- 基于证据而非断言——将建议与扫描结果、日志和控制映射方案绑定
When to load references
何时加载参考资料
- Role boundary and handoffs →
references/classified_devsecops_scope.md - Air-gapped / high-side CI runners →
references/cleared_pipelines_and_environments.md - Promotion and boundary handoffs →
references/artifact_promotion_and_boundaries.md - SAST/SCA/secrets/SBOM gates →
references/security_gates_and_supply_chain.md - IaC, images, STIG/CIS deploy →
references/infrastructure_hardening_and_deploy.md - ATO evidence and audit operations →
references/evidence_ato_and_operations.md
- 角色边界与交接 →
references/classified_devsecops_scope.md - 物理隔离/高安全级CI运行器 →
references/cleared_pipelines_and_environments.md - 晋升与边界交接 →
references/artifact_promotion_and_boundaries.md - SAST/SCA/密钥/SBOM安全门 →
references/security_gates_and_supply_chain.md - IaC、镜像、STIG/CIS部署 →
references/infrastructure_hardening_and_deploy.md - ATO证据与审计运营 →
references/evidence_ato_and_operations.md