Case file SS-03
Policy-led CI/CD compliance at HMRC
Moving compliance into the delivery path for a multi-tenant EKS platform while cutting runner cost and release administration.
- −70%CI runner cost
- 15 secrelease notes reduced from four to six hours
The brief
HMRC’s platform teams needed to serve multiple delivery groups without turning every control into a manual approval queue. The work combined an EKS platform model with policy-led CI/CD, hardened build foundations and faster release administration.
The objective was practical compliance: controls that ran early enough to guide engineers, produced evidence consistently and did not make the secure path the slow path.
Compliance as executable policy
OPA and Conftest moved platform rules into version-controlled tests. Teams received feedback in the pipeline, before a non-compliant change reached a shared environment. The same policy approach helped maintain tenant boundaries while keeping the platform reusable.
Hardened images and delivery controls aligned the platform with PCI and CIS expectations. Rather than relying on a separate document to describe the desired state, the build and release path generated evidence of the state being delivered.
Removing delivery drag
The runner model was rationalised around the shared platform and its actual workload. That reduced CI runner cost by 70% while preserving the isolation and governance the environment required.
Release-note generation was automated from the delivery record. A process that had taken four to six hours was reduced to about fifteen seconds, removing repetitive administration and making the output consistent between releases.
Result
The platform left teams with a clearer contract: compliant defaults, policy feedback inside CI and less manual work at release time. Cost reduction did not come from relaxing controls; it came from making the controlled route repeatable.