Delivery & enforcement

RAMPART

Enforce security and compliance controls across delivery pipelines and deployments. Every commit is evaluated against 9 security gates before it ships — and every decision becomes evidence.

Explore the platform

The problem

Security findings don't block delivery

Remediation happens without authorization. CI/CD gates are inconsistent or bypassable. RAMPART integrates with your pipelines to evaluate each deployment against configured policy rules, route changes through the appropriate approval workflow, and maintain a complete audit trail of every gate decision. When exceptions are needed, it captures justification and tracks compensating controls.

RAMPART exists to enforce decisions — not suggest them.

Core capabilities

What it does

Policy gates

Delivery is blocked until policy conditions are met — no overrides, no out-of-band exceptions.

·PASS / WARN / FAIL / BLOCK decisions
·Framework, environment, and risk-threshold aware
·Exception workflow with compensating controls

Hardened baselines

Only approved, signed base images are allowed through the gate.

·Image digest validation
·Cosign signature verification
·SBOM and build manifest capture

Approval workflows

Required before remediation or release, tiered by change risk.

·Tier 1 auto-merge on green tests
·Developer and ISSO signoff tiers
·CAB quorum of 3 with digital signatures

Verification thresholds

Security scores enforced automatically against policy thresholds.

·CM-3 / CM-4 mapped change control
·Threshold breaches block the pipeline
·Every decision recorded with rationale

Scanner adapters

Existing scanners become enforcement inputs, not parallel dashboards.

·Grype, Syft, OpenSCAP native
·SonarQube quality gates and Snyk results
·ACAS/Nessus import path

OSCAL emitter

Machine-readable gate evidence, mapped to the NIST controls each gate satisfies.

·Gate results as assessment evidence
·Control mapping per gate
·Published to CHRONICLE on every decision

How it works

Step-by-step lifecycle

01
Pipeline event received
The GitHub App, GitLab integration, or CI/CD webhook listener picks up the repository, PR/MR, branch, commit, or workflow event.
02
Gates evaluated
The gate policy engine executes compliance gates based on the selected framework, environment, and risk threshold.
03
Scanner results ingested
The adapter framework imports SonarQube quality gates, Snyk results, Grype scans, Syft SBOMs, OpenSCAP results, and ACAS/Nessus exports.
04
Decision produced
The decision service returns PASS, WARN, FAIL, or BLOCK. Non-compliant deployments stop here.
05
Artifacts collected
Build logs, SBOMs, scan outputs, container digests, deployment metadata, and result hashes are stored in the evidence vault.
06
Evidence emitted
The OSCAL emitter generates machine-readable gate evidence; the CHRONICLE publisher sends every decision to the immutable audit chain.

Example scenario

A critical CVE reaches the gate

A deployment carrying a critical dependency vulnerability hits the RAMPART gate. The pipeline blocks, the finding maps to its controls, and remediation starts — all before production.

Illustrative example. Not real customer data.

Demo · Illustrative only

Gate · Image signature

VerifiedPASS

Gate · CVE scan (Grype)

CVE-2026-21412 criticalFAIL

Decision

Deployment stoppedBLOCK

Controls mapped

SI-2, RA-5, SI-3NIST

Remediation

MR raised by ADVERSARIUSTIER 1

Audit record

Anchored to RekorSIGNED

Audit output

What RAMPART generates

Gate decision logs (allow / block)
Remediation authorization records
Hardened build manifests
Verification enforcement logs
Customer pull request packages
OSCAL gate evaluation evidence

The boundary

RAMPART never deploys to customer production.

Customers own execution. RAMPART enforces policy. Approved changes are packaged and handed off to your CI/CD across an explicit trust boundary — control stays with REAEGIS, execution stays with you.

The other engines