Compliance Without the Chaos: Building It Right Into Your DevOps Pipeline
Varun Gurnaney
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Compliance teams are stuck running painful, manual evidence-collection cycles while the DevOps pipelines they rely on already generate exactly the data they need. Varun Gurnaney argues that embedding compliance checks directly into CI/CD pipelines — and building a purpose-built compliance data layer to consume them — can eliminate most of that pain without requiring engineers to change how they work. ---
AI review
Gurnaney's framing is correct — compliance teams are pulling evidence manually from data that DevOps already generates automatically — but the solution he describes is either 'use OPA Gatekeeper' or 'buy a compliance platform,' and neither amounts to novel content. The CIP/COP distinction is a useful vocabulary addition; the rest is well-organized fundamentals.