Session

Zero Trust for Build Pipelines: Closing the 55% Governance Gap

Your SBOM tells you what's inside the artifact. It tells you nothing about how it was built, who had access to the pipeline, or whether someone tampered with the process between commit and deploy.

In a 60-day research pilot across 30 repositories, 67% had configurations vulnerable to software supply chain compromise. Only 12% would have triggered an alert under SOC 2, SOX ITGC, or NIST 800-53. That leaves 55% of build pipeline risk completely invisible to existing governance.

Using the March 2026 Trivy supply chain attack as a case study, this talk demonstrates how mutable GitHub Actions tags enabled credential theft across thousands of pipelines, and how a single enforceable policy (SHA pinning) would have prevented it.

The session introduces a zero-trust framework for build pipeline governance built on four principles: Invisible Security (compliance as a side effect of shipping code), Forensic Attestation (a Build Chain of Custody record for every build), Blast Radius Control (instant forensic lookups across thousands of repos), and Compliance as Code (OPA/Rego policies mapped to 8 regulatory frameworks covering 100+ controls).

This is not a product pitch. This is original doctoral research, real production data, and a deployable framework for closing the governance gap that Trivy, SolarWinds, Codecov, 3CX, and Kaseya all exploited.

Attendees leave with: a taxonomy of pipeline risks outside current compliance frameworks, a working model for Build Chain of Custody as a forensic evidence standard, actionable OPA/Rego policy patterns, and compliance mappings across SOC 2, SOX, NIST, ISO, PCI-DSS, FedRAMP, CIS, and HIPAA.

Amina Emenena

D.Sc. Cybersecurity Candidate, George Washington University | Founder, Build Flow Labs

San Diego, California, United States

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top