Governance & Evidence
OpsMx Policy Enforcement and Deployment Firewall ensures every change that goes to production meets your security, compliance, and quality standards. AppSec and platform teams can count on OpsMx to enforce policies at the time of deployment — preventing risky changes and strengthening your security posture.
How the Deployment Firewall Works
Policy checks and security scans are triggered automatically when code is merged or a build is initiated. Compliance posture is evaluated by comparing the security data collected and policies defined. The OpsMx Deployment Firewall then issues a real-time YES/NO decision to the Kubernetes Admission Controller. If compliant, the deployment proceeds. If not, the sync is blocked and developers are instantly notified. This entire process is API-driven, fast, and logged — providing continuous deployment and continuous security.
What the Deployment Firewall Evaluates
The Deployment Firewall evaluates deployments across five key dimensions.
Security Vulnerabilities
Has the release been scanned for vulnerabilities? Are there unacceptable vulnerabilities? If the release needs to go out anyway, has a policy exception been recorded?
Manifest Security
Has the manifest file been modified since the last deployment? What changed? Do the specifications for things like service-to-service communications, open ports, and protocols comply with the organization's security policies?
Artifact Integrity
Do the images to be deployed match those generated at the last application build? Have images or their dependent libraries been modified post-build?
Infrastructure Readiness
Does the target deployment platform meet security requirements, such as CIS benchmarks?
Release Quality & Performance
How does the quality and performance of the new release compare to the release currently running in production?
Key Capabilities
Policy-as-Code with OPA
Define and enforce Policy-as-Code using the Open Policy Agent (OPA). Use built-in rules or create custom policies tailored to your organization's standards.
Rules Genie — use AI to convert plain-language policies into "policy-as-code" Rego scripts. This means security and compliance teams can define policies in plain English and have them automatically translated into executable OPA rules — no manual Rego scripting required.
Policy types supported:
Static Policies
Fixed rules applied to every deployment regardless of context — e.g., no critical CVEs, approved base images only
Dynamic Policies
Context-aware rules that evaluate runtime data — e.g., block if P1/P2 Jira tickets are open for this build
Blackout Window
Block all deployments during defined freeze periods — quarter-end, maintenance windows, compliance lockouts
Separation of Duties
Enforce SOX-aligned controls — no single person can both approve and deploy
Custom OPA Rules
Organization-specific rules defined in Rego policy language
Pre-packaged Compliance Library
The Compliance Library contains predefined rules based on NIST 800-53, CIS Benchmarks, PCI-DSS, and more — enabling organizations to get started with compliance automation immediately, without having to author rules from scratch.
Customers can add a Deployment Firewall to their existing CI/CD process to support compliance with industry standards such as NIST 800-53, HIPAA, and PCI.
Automated Policy Enforcement Across All Teams
Irrespective of teams and their specific services, deployment firewalls can be enforced to the deployment stages of each and every workflow or CD pipeline across distributed teams. This happens via seamless integration of OpsMx Delivery Shield to any existing CD tool.
OpsMx standardizes policies consistently across environments and delivery pipelines — Spinnaker, Argo, and GitOps workflows.
Real-Time Block, Alert & Exception Handling
The enforcement layer checks if the deployment is in 100% compliance and there are no broken rules. It checks for open violations and blocks deployment. In addition, it notifies concerned personnel about the blocked deployment. It also allows you to manage exceptions in case deployment needs to happen with a warning.
Allow teams to request and approve temporary policy exceptions — with built-in reminders for expiry and follow-up with alerts and notifications via Slack and Email.
Automated Audit Trail & Compliance Reporting
OpsMx automatically logs every action, policy check, and gate result to give you real-time audit trails and attestation-ready reports.
Automatically log every gate decision — approvals, blocks, rollbacks, and exceptions.
This allows you to automate governance by ticketing any such incidents in your governance tools like Jira or ServiceNow for audit reporting purposes with proof points. You can also generate reports for attesting artifacts in the form of an audit delivery attestation report, or generate a CIS benchmark validation report from the OpsMx Deployment Firewall.
Policy Preview (Pre-Production Visibility)
Policy Preview gives visibility into application security across dev, test, and staging, aligned with company policies. Teams can see which policies a release would fail before it reaches the Deployment Firewall gate — giving developers the chance to fix issues earlier in the pipeline.
Kubernetes Admission Controller Integration
The OpsMx Deployment Firewall issues a real-time YES/NO decision to the Kubernetes Admission Controller — blocking or allowing the sync based on policy results. This makes the firewall a native part of the Kubernetes deployment process, not an external step that can be bypassed.
Zero-Day Vulnerability Response
A very popular use case of the Deployment Firewall is when a vulnerability is newly reported — you can enforce a real-time rule to stop all deployments containing the affected packages or artifacts. This enables organizations to respond to zero-day events like Log4Shell instantly across the entire delivery pipeline — without manually intervening in each team's workflow.
Supported CI/CD Integrations
The Deployment Firewall comes with automation-friendly integration — compatibility with popular DevOps tools like Jenkins, Spinnaker, and Argo CD.
Argo CD
GitOps — Kubernetes Admission Controller integration
Spinnaker
Pipeline gate enforcement
Jenkins
Pipeline stage-level policy check
GitHub Actions
Workflow-level gate
GitLab CI
Pipeline stage enforcement
Flux
GitOps sync blocking
Notification & Governance Integrations
When a deployment is blocked or an exception is raised, Delivery Shield automatically notifies the right people and logs the event in the right systems:
Slack
Real-time block alerts and exception notifications
Policy violation and expiry reminders
Microsoft Teams
ChatOps-style notifications
Jira
Auto-ticket creation for blocked deployments
ServiceNow
Governance and change management workflow integration
Benefits for the User
1. Last Line of Defense — Nothing Unsafe Reaches Production
Humans are error-prone. OpsMx automates policy enforcement via OPA to define Static and Dynamic Policies — ensuring nothing unsafe or non-compliant gets through.
2. No Developer Workflow Disruption
Dev teams stay in their GitOps workflow. Security and compliance controls run behind the scenes. Policies execute automatically — developers only see the firewall when something genuinely fails.
3. Consistent Governance Across Every Team & Environment
Enforce rules consistently across teams, tools, and environments to eliminate human error. Whether a team uses Jenkins, Argo CD, or GitHub Actions — the same policies apply, enforced centrally.
4. Instant Zero-Day Response
When a new critical CVE is published, a single rule update in the Deployment Firewall immediately stops all affected deployments across every team and pipeline — no manual intervention, no relying on individual teams to act.
5. Audit-Ready at All Times
OpsMx automatically logs every action, policy check, and gate result to give real-time audit trails and attestation-ready reports. Compliance audits that previously required days of manual evidence gathering are reduced to an on-demand report export.
6. Controlled Exception Management
Allow teams to request and approve temporary policy exceptions — with built-in reminders for expiry and follow-up with alerts and notifications via Slack and Email. Urgency is handled without permanently weakening governance.
7. Faster Compliance Adoption — Pre-packaged Rules
Built-in security with predefined policies for common security and compliance needs means organizations can achieve near-100% SDLC compliance from day one — without extensive custom rule development.
8. AI-Assisted Policy Creation
Rules Genie uses AI to convert plain-language policies into policy-as-code Rego scripts — dramatically lowering the barrier for non-technical security and compliance teams to define and enforce policies without engineering support.
Supported Compliance Frameworks
NIST 800-53
Pre-packaged rules; automated deployment controls
CIS Benchmarks
Infrastructure readiness validation at deployment time
PCI DSS
Vulnerability gate, artifact integrity, change control
HIPAA
Access control, deployment logging, exception management
SOX
Separation of duties, approval gates, audit trails
GDPR
Policy-driven access and deployment restrictions
SOC 2
Gate decisions logged; compliance tags applied to policies
NIST AI RMF
Policy enforcement and Deployment Firewall ensure any model or code change failing RMF criteria is blocked before it goes live.
Setting Up the Deployment Firewall
Navigate to Setup → Policy & Governance in Delivery Shield
Select the Deployment Firewall option for your target CD tool (Argo CD, Jenkins, Spinnaker, etc.)
Choose from the Compliance Library of pre-packaged rules or define custom OPA policies
Set enforcement mode — Block, Alert, or Log only per rule
Configure exception management — designate approvers and set maximum exception duration
Set up notifications — connect Slack, Email, Jira, or ServiceNow for alerts
Enable Policy Preview to surface policy gaps in pre-production environments
Activate — the firewall begins evaluating every deployment in real time
Last updated