CI/CD for Saudi Government Platforms: NCA Compliance and Secure Delivery Pipelines

Every Saudi government entity building digital services - from Absher and Tawakkalna-style citizen platforms to internal ministry systems - must comply with the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC). These controls cover everything from access management and encryption to secure development practices and change management. For engineering teams, the question is not whether to comply but how to embed compliance into the software delivery process without grinding development to a halt.

CI/CD pipelines are the answer. When designed correctly, a CI/CD pipeline enforces NCA compliance at every stage - from code commit to production deployment - automatically generating the audit evidence that NCA assessors require. Compliance becomes a property of the pipeline rather than a manual process layered on top of development.

NCA ECC Controls That Impact CI/CD

The NCA ECC framework contains dozens of controls across multiple domains. Several directly affect how software is built, tested, and deployed:

Secure Software Development (SSD). NCA requires organisations to implement secure development lifecycle practices - including code review, static analysis, dependency vulnerability scanning, and secure coding standards. These are not optional recommendations; they are controls that NCA assessors verify during audits.

Change Management (CM). All changes to production systems must follow a documented change management process with approval workflows, rollback procedures, and audit trails. In a traditional organisation, this means change advisory boards and manual approval tickets. In a CI/CD environment, it means automated approval gates with documented evidence.

Access Control (AC). Access to production systems, deployment pipelines, and source code repositories must follow least-privilege principles with multi-factor authentication, role-based access control, and regular access reviews.

Audit and Accountability (AA). All actions in the delivery pipeline - code commits, build executions, test results, deployment approvals, and production changes - must be logged, timestamped, and retained for the period NCA specifies. These logs must be tamper-evident.

Cryptography (CY). Code signing, artifact signing, and encryption of secrets in the pipeline must use approved cryptographic standards. Secrets must not be stored in source code or pipeline configuration files.

Vulnerability Management (VM). Continuous scanning for vulnerabilities in application dependencies, container images, and infrastructure configurations - with defined remediation timelines based on severity.

Designing NCA-Compliant CI/CD Pipelines

An NCA-compliant CI/CD pipeline is not fundamentally different from a well-designed pipeline at any mature engineering organisation. The difference is in the rigour of enforcement, the completeness of evidence generation, and the auditability of every step.

Source Control and Access Management

The pipeline starts at the source code repository. For NCA access control compliance:

• Branch protection rules enforce that no code reaches the main branch without peer review. Direct pushes to main are blocked.
• Multi-factor authentication is required for all repository access. GitHub Enterprise or GitLab Ultimate provide MFA enforcement at the organisation level.
• Role-based access control ensures that developers can push to feature branches, reviewers can approve merge requests, and only the CI/CD system can trigger production deployments. No individual has the ability to bypass the pipeline and deploy directly.
• Signed commits using GPG keys provide cryptographic proof of author identity for every code change.

Every access event and code change is logged automatically by the source control platform, providing the NCA audit trail without additional tooling.

Build Environment Security

The build environment is a critical attack surface. A compromised build environment can inject malicious code into every artifact the organisation produces. For NCA compliance:

Ephemeral build environments. Each build runs in a fresh, isolated container that is destroyed after the build completes. No build state persists between runs. This eliminates the risk of a compromised build environment affecting subsequent builds.

Locked dependencies. Package lock files (package-lock.json, go.sum, Pipfile.lock) ensure that builds use the exact dependency versions that were tested - not whatever the latest version happens to be at build time. This prevents supply chain attacks where a compromised dependency version is published between the test run and the production build.

Private artifact registries. Built artifacts (container images, compiled binaries) are stored in private registries (Amazon ECR, Google Artifact Registry, or self-hosted Nexus/Harbor) with access controls and vulnerability scanning. Public registries are not used for production artifacts.

Build provenance. Each build produces a signed provenance attestation - a cryptographic record of what was built, from which source code, by which pipeline, at what time. This follows the SLSA (Supply-chain Levels for Software Artifacts) framework and provides the evidence chain that NCA assessors need to verify the integrity of production artifacts.

Automated Security Gates

The pipeline includes mandatory security scanning stages that must pass before code progresses toward production:

Static Application Security Testing (SAST). Tools like SonarQube or Semgrep scan the source code for security vulnerabilities - SQL injection, cross-site scripting, insecure cryptographic usage, hardcoded credentials. Findings above a defined severity threshold block the pipeline.

Software Composition Analysis (SCA). Tools like Snyk or Trivy scan application dependencies for known vulnerabilities. Critical and high-severity vulnerabilities in dependencies block the pipeline. This directly addresses NCA’s vulnerability management controls.

Container image scanning. Every container image is scanned for OS-level vulnerabilities, misconfigured permissions, and unnecessary packages before it enters the artifact registry. Images with critical vulnerabilities are rejected.

Infrastructure-as-Code scanning. Terraform plans and Kubernetes manifests are validated against NCA policies using Open Policy Agent (OPA) or Checkov. A Terraform plan that creates an unencrypted database, an S3 bucket without access logging, or a security group with overly permissive rules is rejected before it reaches the apply stage.

Secrets detection. Tools like TruffleHog or GitLeaks scan every commit for accidentally committed secrets - API keys, database passwords, certificates. Commits containing secrets are blocked and the developer is notified to rotate the compromised credential.

Each security gate produces a structured report that is stored as a pipeline artifact. These reports constitute the NCA audit evidence - demonstrating that every production deployment passed defined security controls.

Approval Workflows and Change Management

NCA’s change management controls require approval workflows for production changes. In a CI/CD pipeline, this is implemented through:

Environment promotion gates. Code progresses through environments - development, staging, production - with explicit approval gates between staging and production. The approval can be automated (all tests pass, security scans clear, SLO compliance is healthy) or manual (a designated approver reviews the change).

Deployment manifests. Each production deployment is accompanied by a manifest documenting what changed, which commits are included, which security scans passed, and who approved the deployment. This manifest is the NCA change management record.

Rollback capability. Every deployment must be reversible. The pipeline maintains the previous production artifact and can roll back within minutes. NCA assessors will ask about rollback procedures - the pipeline provides both the capability and the evidence that it has been tested.

PDPL Data Residency in the Pipeline

PDPL data residency requirements extend to the CI/CD pipeline itself. For Saudi government platforms:

• Build environments run in the AWS me-central-1 (Riyadh) region or on-premises within the Kingdom. Source code and build artifacts containing Saudi citizen data must not transit through infrastructure outside the Kingdom.
• Artifact registries are hosted in the Riyadh region. Container images are not pushed to registries outside Saudi Arabia.
• Pipeline logs containing potentially sensitive information (environment variables, configuration values, test data) are stored in the Riyadh region with appropriate encryption and access controls.

This means the pipeline infrastructure itself must be architected for data residency - not just the applications it deploys.

Continuous Compliance Monitoring

NCA compliance is not a one-time certification. It requires continuous compliance - the ability to demonstrate at any point that all controls are in effect. The CI/CD pipeline enables this through:

Policy-as-code enforcement. Every deployment is validated against current NCA policies. If a new NCA control is added, the policy is updated in the pipeline and all subsequent deployments must comply. Existing non-compliant configurations are flagged for remediation.

Compliance dashboards. Real-time dashboards showing the compliance status of every service: which security scans passed, when the last vulnerability scan ran, which services have open critical vulnerabilities, and the remediation timeline for each finding.

Automated evidence collection. Every pipeline run generates a compliance evidence package - scan results, approval records, deployment manifests, and provenance attestations. When NCA assessors request evidence, it is available immediately rather than requiring weeks of manual collection.

Pipeline Architecture for Saudi Government Platforms

A reference architecture for NCA-compliant CI/CD on AWS me-central-1:

Source control: GitHub Enterprise or GitLab Ultimate with SAML SSO, MFA enforcement, branch protection, and signed commits.

CI/CD engine: GitHub Actions (self-hosted runners in me-central-1) or GitLab CI with runners deployed in the Riyadh region.

Security scanning: SonarQube for SAST, Trivy for container and SCA scanning, OPA for policy-as-code, TruffleHog for secrets detection.

Artifact storage: Amazon ECR in me-central-1 with image scanning enabled and lifecycle policies for retention.

Deployment: ArgoCD or Flux for GitOps-based Kubernetes deployments with automated sync and rollback capabilities.

Evidence storage: S3 bucket in me-central-1 with versioning, encryption, and object lock for tamper-evident audit evidence retention.

Monitoring: Prometheus and Grafana for pipeline health metrics, with alerts on pipeline failure rates, security scan findings, and deployment frequency.

The 8-Week Engagement for Government Platforms

For Saudi government engineering teams building or upgrading their CI/CD pipelines for NCA compliance:

Weeks 1-2: Assessment. Audit the current CI/CD pipeline against NCA ECC controls. Identify gaps in security scanning, access management, change management, and audit evidence generation. Assess PDPL data residency compliance of the pipeline infrastructure.

Weeks 3-5: Pipeline implementation. Build or upgrade the CI/CD pipeline with all NCA compliance gates - SAST, SCA, container scanning, IaC scanning, secrets detection. Implement approval workflows and deployment manifests. Configure build provenance and artifact signing.

Weeks 6-7: Evidence and monitoring. Deploy compliance dashboards. Configure automated evidence collection and retention. Implement continuous compliance monitoring with policy-as-code.

Week 8: Handover and documentation. Document the pipeline architecture, NCA control mappings, and operational procedures. Train the internal team on pipeline maintenance and policy updates. Prepare the NCA audit evidence package.

Getting Started

If your Saudi government platform needs CI/CD pipelines that meet NCA Essential Cybersecurity Controls - or if you need to upgrade existing pipelines to generate the compliance evidence that NCA assessors require - a structured CI/CD security engagement is the fastest path to continuous, automated compliance.

devopssaudi.com specialises in secure CI/CD for Saudi government platforms. Book a free 30-minute consultation - we will assess your current pipeline against NCA requirements and outline the engagement to close the gaps.