Secure development lifecycle
Release gates before production Workers deployments.
Maturity increases over time; gaps may exist between policy and automation.
Gates
- Review: Human review for auth, tenancy, and data-path changes.
- Typecheck & tests: TypeScript compile; Vitest for Worker pools where applicable.
- Secrets: No plaintext secrets in repo; Wrangler secrets for prod.
- IaC: Wrangler config changes reviewed alongside code.
An expanded secure SDLC checklist is available through procurement for qualified security reviews.