What SOC 2 evidence do I need for a GitHub-based CI/CD pipeline?

Evidence for GitHub CI/CD

GitHub Actions with branch protection creates a natural SOC 2 audit trail. Here's everything you need:

Configuration Evidence

Item	Where to Find It	SOC 2 Control
Branch protection rules	Settings → Branches → main	CC8.1
Required reviewers	Branch protection → Require PR reviews	CC8.1
Required status checks	Branch protection → Require status checks	CC8.1
Force push prevention	Branch protection → Do not allow force pushes	CC8.1
GitHub Actions workflows	.github/workflows/*.yml files	CC8.1
Organization 2FA	Settings → Authentication security	CC6.1
Member permissions	Settings → Member privileges	CC6.1

Population Evidence (Type II)

Auditors will sample 20-25 merged PRs from the audit period. Each should show:

1. PR description — What changed and why
2. Reviewer approval — At least one approving review from someone other than the author
3. CI checks passing — GitHub Actions status checks green
4. Merge to main — The PR was merged (not committed directly)

GitHub Actions Workflow Best Practices

Your GitHub Actions workflow should include at minimum:

• Linting or type checking
• Unit tests
• Build verification

Document the workflow file itself as evidence — it shows what checks run on every PR.

Common Gaps

• Admin bypass enabled: Branch protection allows admins to bypass rules. Disable this.
• No CI on PRs: GitHub Actions only runs on push to main, not on PR. Configure it to run on pull_request events.
• Missing test coverage: Having a CI workflow that only builds (no tests) weakens the evidence.
• Direct commits: Any commits directly to main without a PR will show up in audit sampling.

Emergency Change Process

Document a process for hotfixes that bypass normal CI/CD:

1. Direct deploy with documented justification
2. Post-deployment PR created within 24 hours
3. Retroactive review and approval
4. Incident documented in your change log