DevSecOpsSOC 2OPATrivyGitHub ActionsVault
The problem
The company needed SOC 2 for enterprise deals but had ad-hoc security and no audit evidence. They feared a compliance push would grind engineering to a halt.
What I built
- 1Introduced SAST, DAST and container scanning (Trivy) gated in CI.
- 2Centralized secrets in Vault with short-lived, audited credentials.
- 3Codified guardrails with OPA and Conftest, checking IaC and policies on every PR.
- 4Automated control evidence collection so audits became continuous, not a scramble.
- 5Hardened IAM with least-privilege roles and access reviews.
The outcome
Passed SOC 2 Type II six weeks ahead of schedule with zero critical CVEs reaching production. Security became a background guarantee rather than a blocker.
Want an outcome like this?
Book a call and let’s scope what it would take for your stack.
Book a consulting call →