CICD Cybersecurity proposal

[sbtaylor15]

CICD Cybersecurity Project Proposal
Signed-off-by: Steve Taylor steve@deployhub.com

[TracyRagan]

Updated Garima Bajpai in place of Steve Taylor

[mnemonic01]

I've read the proposal; good job! Very relevant. The gap it addresses is real.
A few things that I felt missing or underdeveloped:

• Pipelines are treated as the main control surface, but in practice you also have GitOps controllers and the platform/runtime itself. That distinction isn’t really visible.
• Using lifecycle stages alone is too limiting. Without a stable set of capabilities, the mapping to tools will stay somewhat arbitrary.
• GitOps is not explicitly positioned, while for many environments this is the delivery model now.
• Secrets and IAM are mentioned, but not really treated as foundational building blocks. That’s where a lot of real risk sits.
• IaC is missing. Without reproducible infrastructure, secure delivery is hard to make auditable.
• Policy is mentioned, but not clearly positioned as something that spans pipeline, deployment, and runtime.
• Supply chain security is well covered in terms of concepts, but I miss a clear end-to-end flow (build → sign → verify → deploy).
• There’s no real reflection of multi-tenant / shared platform environments, which is where many users operate.

The AI section feels a bit generic right now. Maybe for a next version, make it concrete (with actual risks/controls) or leave it out for now.
Overall, the direction is strong. Tightening the positioning will make it clearer what this proposal is (and is not), and improve adoption.