CI/CD security audit for SMEs — with a concrete price range.
Three clearly packaged audit levels for your CI/CD pipeline and software supply chain: defined scope, transparent price range. You know up front what you'll get and what it costs — instead of seeing a five-figure quote after three consulting hours.
Your pipeline is the biggest attack vector today.
The solution
- Three clearly packaged CI/CD audit tiers with fixed-price ranges
- Findings prioritised by actual risk in your stack
- Concrete remediation plan with effort per item
- SBOM creation and supply-chain audit standard in the Standard and Deep tiers
- Optional: a follow-up quarterly re-audit to track progress
- Part of, or complementary to, DevSecOps as a Service
The problem
- CI/CD setup without a dedicated security review — every push could push malicious code into production
- The build pipeline's sub-processor list is unknown or incomplete
- Secrets in CI variables instead of in a vault
- No SBOM, no supply-chain review, no idea what's inside the image
- For incidents like the Bitwarden CLI risk: no ability to respond
Three CI/CD audit packages, one clear frame
You pick the depth, we deliver the scope. Every package has fixed contents and a price range we confirm in writing before the engagement starts.
Deep audit
Complex pipeline landscapes, regulatory requirements (BaFin, KRITIS, ISO 27001 with CI scope, EU CRA). 6–8 weeks. Includes penetration tests on multiple pipelines, SLSA conformance check, full threat modelling of the software supply chain, an emergency/restore drill with your team, and an audit-ready report.
Standard audit
Several pipelines or one central pipeline with complex architecture. 3–4 weeks. Includes full SBOM creation, sub-processor pen test, permission and role review, secret-vault check, supply-chain threat model, mini-penetration test on build runners.
Quick check
One CI/CD pipeline (e.g. a GitLab or GitHub Actions setup). 5–7 working days. Configuration review, secret scanning, sub-processor list with risk classification, automated vulnerability scans of the central build images. Result: a prioritised findings list, max. 12 pages, sorted clearly by effort.
How we think about security
Four posts from the blog that document our security approach — from supply-chain risks through CI/CD to architecture.
The 3-layer model
How we build platforms so that security is an architectural property and not a bolted-on defender.
DevSecOps problems are decision problems
Why most security findings can't be solved with a new tool, but with clear decisions.
Your CI pipeline is the biggest entry point
Why the CI pipeline is the most important security perimeter today — and what we look at first in every audit.
Bitwarden CLI incident from 22 April 2026
When your own password manager turns into a supply-chain risk — a concrete incident showing why sub-processor scrutiny is mandatory.
Clear scope. Clear price range. Findings you can act on.
Often used together.
Which audit package fits your situation?
In 30 minutes we'll work out which package sensibly covers your CI/CD risks — and which would be overkill. You then get a concrete proposal with a price range, not an “it depends”. Free of charge, no obligation.
Oder direkt schreiben: kontakt@moselwal.de