# Governance & Evidence OpsMx Policy Enforcement and Deployment Firewall ensures every change that goes to production meets your security, compliance, and quality standards. AppSec and platform teams can count on OpsMx to enforce policies at the time of deployment — preventing risky changes and strengthening your security posture. ## How the Deployment Firewall Works Policy checks and security scans are triggered automatically when code is merged or a build is initiated. Compliance posture is evaluated by comparing the security data collected and policies defined. The OpsMx Deployment Firewall then issues a real-time YES/NO decision to the Kubernetes Admission Controller. If compliant, the deployment proceeds. If not, the sync is blocked and developers are instantly notified. This entire process is API-driven, fast, and logged — providing continuous deployment and continuous security. ### What the Deployment Firewall Evaluates The Deployment Firewall evaluates deployments across five key dimensions. **Security Vulnerabilities** Has the release been scanned for vulnerabilities? Are there unacceptable vulnerabilities? If the release needs to go out anyway, has a policy exception been recorded? **Manifest Security** Has the manifest file been modified since the last deployment? What changed? Do the specifications for things like service-to-service communications, open ports, and protocols comply with the organization's security policies? **Artifact Integrity** Do the images to be deployed match those generated at the last application build? Have images or their dependent libraries been modified post-build? **Infrastructure Readiness** Does the target deployment platform meet security requirements, such as CIS benchmarks? **Release Quality & Performance** How does the quality and performance of the new release compare to the release currently running in production? ## Key Capabilities **Policy-as-Code with OPA** Define and enforce Policy-as-Code using the Open Policy Agent (OPA). Use built-in rules or create custom policies tailored to your organization's standards. Rules Genie — use AI to convert plain-language policies into "policy-as-code" Rego scripts. This means security and compliance teams can define policies in plain English and have them automatically translated into executable OPA rules — no manual Rego scripting required. Policy types supported: | Policy Type | Description | | ------------------------ | ----------------------------------------------------------------------------------------------------------------- | | **Static Policies** | Fixed rules applied to every deployment regardless of context — e.g., no critical CVEs, approved base images only | | **Dynamic Policies** | Context-aware rules that evaluate runtime data — e.g., block if P1/P2 Jira tickets are open for this build | | **Blackout Window** | Block all deployments during defined freeze periods — quarter-end, maintenance windows, compliance lockouts | | **Separation of Duties** | Enforce SOX-aligned controls — no single person can both approve and deploy | | **Custom OPA Rules** | Organization-specific rules defined in Rego policy language | *** **Pre-packaged Compliance Library** The Compliance Library contains predefined rules based on NIST 800-53, CIS Benchmarks, PCI-DSS, and more — enabling organizations to get started with compliance automation immediately, without having to author rules from scratch. Customers can add a Deployment Firewall to their existing CI/CD process to support compliance with industry standards such as NIST 800-53, HIPAA, and PCI. *** **Automated Policy Enforcement Across All Teams** Irrespective of teams and their specific services, deployment firewalls can be enforced to the deployment stages of each and every workflow or CD pipeline across distributed teams. This happens via seamless integration of OpsMx Delivery Shield to any existing CD tool. OpsMx standardizes policies consistently across environments and delivery pipelines — Spinnaker, Argo, and GitOps workflows. *** **Real-Time Block, Alert & Exception Handling** The enforcement layer checks if the deployment is in 100% compliance and there are no broken rules. It checks for open violations and blocks deployment. In addition, it notifies concerned personnel about the blocked deployment. It also allows you to manage exceptions in case deployment needs to happen with a warning. Allow teams to request and approve temporary policy exceptions — with built-in reminders for expiry and follow-up with alerts and notifications via Slack and Email. *** **Automated Audit Trail & Compliance Reporting** OpsMx automatically logs every action, policy check, and gate result to give you real-time audit trails and attestation-ready reports. Automatically log every gate decision — approvals, blocks, rollbacks, and exceptions. This allows you to automate governance by ticketing any such incidents in your governance tools like Jira or ServiceNow for audit reporting purposes with proof points. You can also generate reports for attesting artifacts in the form of an audit delivery attestation report, or generate a CIS benchmark validation report from the OpsMx Deployment Firewall. *** **Policy Preview (Pre-Production Visibility)** Policy Preview gives visibility into application security across dev, test, and staging, aligned with company policies. Teams can see which policies a release would fail before it reaches the Deployment Firewall gate — giving developers the chance to fix issues earlier in the pipeline. *** **Kubernetes Admission Controller Integration** The OpsMx Deployment Firewall issues a real-time YES/NO decision to the Kubernetes Admission Controller — blocking or allowing the sync based on policy results. This makes the firewall a native part of the Kubernetes deployment process, not an external step that can be bypassed. *** **Zero-Day Vulnerability Response** A very popular use case of the Deployment Firewall is when a vulnerability is newly reported — you can enforce a real-time rule to stop all deployments containing the affected packages or artifacts. This enables organizations to respond to zero-day events like Log4Shell instantly across the entire delivery pipeline — without manually intervening in each team's workflow. ### Supported CI/CD Integrations The Deployment Firewall comes with automation-friendly integration — compatibility with popular DevOps tools like Jenkins, Spinnaker, and Argo CD. | Tool | Type | | ------------------ | ---------------------------------------------------- | | **Argo CD** | GitOps — Kubernetes Admission Controller integration | | **Spinnaker** | Pipeline gate enforcement | | **Jenkins** | Pipeline stage-level policy check | | **GitHub Actions** | Workflow-level gate | | **GitLab CI** | Pipeline stage enforcement | | **Flux** | GitOps sync blocking | ### Notification & Governance Integrations When a deployment is blocked or an exception is raised, Delivery Shield automatically notifies the right people and logs the event in the right systems: | Channel | Purpose | | ------------------- | ----------------------------------------------------- | | **Slack** | Real-time block alerts and exception notifications | | **Email** | Policy violation and expiry reminders | | **Microsoft Teams** | ChatOps-style notifications | | **Jira** | Auto-ticket creation for blocked deployments | | **ServiceNow** | Governance and change management workflow integration | #### Benefits for the User **1. Last Line of Defense — Nothing Unsafe Reaches Production** Humans are error-prone. OpsMx automates policy enforcement via OPA to define Static and Dynamic Policies — ensuring nothing unsafe or non-compliant gets through. **2. No Developer Workflow Disruption** Dev teams stay in their GitOps workflow. Security and compliance controls run behind the scenes. Policies execute automatically — developers only see the firewall when something genuinely fails. **3. Consistent Governance Across Every Team & Environment** Enforce rules consistently across teams, tools, and environments to eliminate human error. Whether a team uses Jenkins, Argo CD, or GitHub Actions — the same policies apply, enforced centrally. **4. Instant Zero-Day Response** When a new critical CVE is published, a single rule update in the Deployment Firewall immediately stops all affected deployments across every team and pipeline — no manual intervention, no relying on individual teams to act. **5. Audit-Ready at All Times** OpsMx automatically logs every action, policy check, and gate result to give real-time audit trails and attestation-ready reports. Compliance audits that previously required days of manual evidence gathering are reduced to an on-demand report export. **6. Controlled Exception Management** Allow teams to request and approve temporary policy exceptions — with built-in reminders for expiry and follow-up with alerts and notifications via Slack and Email. Urgency is handled without permanently weakening governance. **7. Faster Compliance Adoption — Pre-packaged Rules** Built-in security with predefined policies for common security and compliance needs means organizations can achieve near-100% SDLC compliance from day one — without extensive custom rule development. **8. AI-Assisted Policy Creation** Rules Genie uses AI to convert plain-language policies into policy-as-code Rego scripts — dramatically lowering the barrier for non-technical security and compliance teams to define and enforce policies without engineering support. ## Supported Compliance Frameworks | Framework | Coverage | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------- | | **NIST 800-53** | Pre-packaged rules; automated deployment controls | | **CIS Benchmarks** | Infrastructure readiness validation at deployment time | | **PCI DSS** | Vulnerability gate, artifact integrity, change control | | **HIPAA** | Access control, deployment logging, exception management | | **SOX** | Separation of duties, approval gates, audit trails | | **GDPR** | Policy-driven access and deployment restrictions | | **SOC 2** | Gate decisions logged; compliance tags applied to policies | | **NIST AI RMF** | Policy enforcement and Deployment Firewall ensure any model or code change failing RMF criteria is blocked before it goes live. | ## Setting Up the Deployment Firewall 1. Navigate to **Setup → Policy & Governance** in Delivery Shield 2. Select the **Deployment Firewall** option for your target CD tool (Argo CD, Jenkins, Spinnaker, etc.) 3. Choose from the **Compliance Library** of pre-packaged rules or define custom OPA policies 4. Set enforcement mode — **Block**, **Alert**, or **Log only** per rule 5. Configure **exception management** — designate approvers and set maximum exception duration 6. Set up **notifications** — connect Slack, Email, Jira, or ServiceNow for alerts 7. Enable **Policy Preview** to surface policy gaps in pre-production environments 8. Activate — the firewall begins evaluating every deployment in real time --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/governance-and-evidence/governance-and-evidence.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.