Skip to main content
INS // Insights

Defense Software Factory Pipeline on DoD Cloud One

Updated April 2026 · 7 min read

The Department of Defense's Platform One initiative represents the most significant shift in how DoD software programs acquire and operate engineering infrastructure in decades. Rather than each program building its own CI/CD tooling, Platform One provides a shared, ATO'd software factory that programs can leverage with dramatically reduced compliance overhead.

But shared infrastructure doesn't mean programs get everything for free. Building mission software that operates effectively within the Platform One ecosystem — using Iron Bank containers, integrating with Big Bang, and generating cATO evidence — requires engineering maturity that many program teams are still developing.

Rutagon delivers fully operational software factory integrations as a delivery artifact, not just advisory documents.

The DoD Software Factory Architecture

A defense software factory combines three operational layers:

  1. Pipeline infrastructure — GitLab CI, Tekton, or Jenkins running in the program's Kubernetes environment
  2. Container registry — Iron Bank (Platform One) as the source for hardened base images; program registry for built artifacts
  3. Security automation — integrated SAST, DAST, container scanning, SBOM generation, and ATO evidence collection

These layers operate continuously — every code commit triggers a full security gate sequence, generating evidence that feeds directly into the ConMon system without manual intervention.

Pipeline Architecture on Cloud One

Cloud One's Infrastructure-as-a-Service provides the compute. The pipeline runs on Kubernetes, using GitLab Runners on EKS or Cloud One's managed runner infrastructure:

# .gitlab-ci.yml — Production defense software factory pipeline
stages:
  - validate
  - build
  - test
  - security
  - package
  - sign
  - deploy-staging
  - integration-test
  - sign-off
  - deploy-production

variables:
  IRON_BANK_REGISTRY: "registry1.dso.mil/ironbank"
  PROGRAM_REGISTRY: "$CI_REGISTRY"
  IMAGE_NAME: "$CI_REGISTRY_IMAGE"
  KUBE_NAMESPACE: "mission-${CI_ENVIRONMENT_SLUG}"

# Validate stage — input validation before expensive operations
validate:code:
  stage: validate
  image: $IRON_BANK_REGISTRY/opensource/python/python:3.12
  script:
    - python -m py_compile **/*.py
    - pip install --no-index --find-links ./vendor -r requirements.txt
    - python -m flake8 --max-line-length=120 .
  rules:
    - if: $CI_COMMIT_BRANCH

# Build stage — Iron Bank base image, no root
build:image:
  stage: build
  image: $IRON_BANK_REGISTRY/opensource/docker/docker:24.0
  services:
    - docker:dind
  script:
    - |
      # Verify Iron Bank image signature before use
      cosign verify \
        --certificate-identity-regexp ".*ironbank.*" \
        --certificate-oidc-issuer "https://kubernetes.io" \
        $IRON_BANK_REGISTRY/redhat/ubi/ubi9:latest
      
      # Build application image from Iron Bank base
      docker build \
        --build-arg BASE_IMAGE=$IRON_BANK_REGISTRY/redhat/ubi/ubi9:latest \
        --label "git.commit=$CI_COMMIT_SHA" \
        --label "git.ref=$CI_COMMIT_REF_NAME" \
        --label "build.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
        -t $IMAGE_NAME:$CI_COMMIT_SHA .
      
      docker push $IMAGE_NAME:$CI_COMMIT_SHA

# Security gate — MUST pass before deploy
security:scan:
  stage: security
  image: $IRON_BANK_REGISTRY/opensource/aquasec/trivy:latest
  script:
    - |
      # Container vulnerability scan — fail on CRITICAL
      trivy image \
        --format sarif \
        --output trivy-results.sarif \
        --severity CRITICAL,HIGH \
        --exit-code 1 \
        $IMAGE_NAME:$CI_COMMIT_SHA
  artifacts:
    when: always
    reports:
      container_scanning: trivy-results.sarif
    paths:
      - trivy-results.sarif
    expire_in: 90 days  # ATO evidence retention

security:sast:
  stage: security
  image: $IRON_BANK_REGISTRY/opensource/semgrep/semgrep:latest
  script:
    - |
      semgrep \
        --config=auto \
        --config=p/owasp-top-ten \
        --sarif \
        --output=semgrep-results.sarif \
        --error \
        .
  artifacts:
    when: always
    reports:
      sast: semgrep-results.sarif

security:sbom:
  stage: security
  image: $IRON_BANK_REGISTRY/opensource/anchore/syft:latest
  script:
    - |
      syft $IMAGE_NAME:$CI_COMMIT_SHA \
        -o spdx-json=sbom.json
      
      # Attach SBOM as cosign attestation
      cosign attest \
        --predicate sbom.json \
        --type spdxjson \
        --key $COSIGN_PRIVATE_KEY \
        $IMAGE_NAME:$CI_COMMIT_SHA
  artifacts:
    paths:
      - sbom.json
    expire_in: 90 days

# Sign stage — only after all security gates pass
sign:image:
  stage: sign
  image: $IRON_BANK_REGISTRY/opensource/cosign/cosign:latest
  script:
    - |
      cosign sign \
        --key $COSIGN_PRIVATE_KEY \
        $IMAGE_NAME:$CI_COMMIT_SHA
      
      # Tag as release-ready
      docker tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_REF_SLUG-latest
      docker push $IMAGE_NAME:$CI_COMMIT_REF_SLUG-latest
  only:
    - main
    - /^release-.*/

Iron Bank Container Integration

Iron Bank (Platform One's hardened container registry) is the DoD-approved source for base images. Every container in a defense software factory originates from Iron Bank — not Docker Hub, not public ECR, not Google Container Registry.

Iron Bank advantages:

  • Container images are continuously hardened against DISA STIGs
  • CVE triage and patch cadence is managed by Platform One, not the program
  • Images are signed and the signing provenance is verifiable
  • Using Iron Bank images significantly reduces the container scanning burden (upstream CVEs are Platform One's responsibility)

Iron Bank selection process for base images:

  1. Check available images at registry1.dso.mil/ironbank/ for your technology stack
  2. If your base image exists in Iron Bank → use it, verify the signature in CI
  3. If it doesn't exist → submit an Iron Bank contribution request, or use the closest available base and build up from it
  4. Never use Docker Hub images directly — wrap them through Iron Bank or replace with Iron Bank equivalents

cATO Evidence Generation

Continuous ATO (cATO) shifts authorization from point-in-time assessment to continuous monitoring with automated evidence collection. Rutagon's pipeline generates and archives all cATO-required evidence automatically:

# ato_evidence_archiver.py — runs as pipeline post-step
import boto3
import json
from datetime import datetime, timezone
from pathlib import Path

def archive_pipeline_evidence(
    pipeline_id: str,
    commit_sha: str,
    scan_results: dict,
    s3_bucket: str,
    kms_key_id: str
):
    """
    Archive all security scan results to immutable evidence store.
    Evidence is organized by control family for ATO submission.
    """
    s3 = boto3.client('s3', region_name='us-gov-west-1')
    timestamp = datetime.now(timezone.utc).isoformat()
    
    evidence_package = {
        "pipelineId": pipeline_id,
        "commitSha": commit_sha,
        "timestamp": timestamp,
        "evidence": {
            # RA-5: Vulnerability scanning
            "ra5_container_scan": scan_results.get("trivy"),
            "ra5_sast": scan_results.get("semgrep"),
            "ra5_dependency_scan": scan_results.get("grype"),
            
            # SA-12: Supply chain (SBOM + provenance)
            "sa12_sbom_location": f"s3://{s3_bucket}/sbom/{commit_sha}/sbom.json",
            "sa12_provenance_signature": scan_results.get("cosign_provenance"),
            
            # CM-14: Signed components
            "cm14_image_signature": scan_results.get("cosign_signature"),
            
            # SI-7: Software integrity
            "si7_artifact_digest": scan_results.get("artifact_digest"),
        }
    }
    
    s3.put_object(
        Bucket=s3_bucket,
        Key=f"ato-evidence/{timestamp[:10]}/{pipeline_id}/evidence.json",
        Body=json.dumps(evidence_package, indent=2),
        ServerSideEncryption='aws:kms',
        SSEKMSKeyId=kms_key_id,
    )
    
    print(f"ATO evidence archived for pipeline {pipeline_id}")

Evidence is archived with Object Lock — preserving the audit trail for the ATO package and subsequent ConMon periods.

Integration with Big Bang

Platform One's Big Bang is a declarative GitOps deployment of the DoD software baseline (Istio, Monitoring Stack, Jaeger, Twistlock/Prisma Cloud, etc.). Rutagon integrates program applications into Big Bang-managed clusters:

# BigBang values override — program application integration
addons:
  missionApp:
    enabled: true
    git:
      repo: "https://gitlab.${PROGRAM_DOMAIN}/mission/chart.git"
      branch: main
    values:
      image:
        repository: "${PROGRAM_REGISTRY}/mission-service"
        tag: "${RELEASE_TAG}"
        pullPolicy: Always
      
      # Inherit Big Bang service mesh (Istio) and monitoring
      istio:
        enabled: true
        hardened:
          enabled: true
      
      monitoring:
        enabled: true

This integration means program services automatically inherit Big Bang's security baseline — Istio mTLS, centralized logging, and Twistlock runtime protection — without the program engineering team owning those components.

Defense software factories are a permanent delivery accelerator for programs operating under continuous authorization. Rutagon delivers factory implementations that generate ATO evidence from day one, reducing the authorization timeline from months to weeks. For programs evaluating the cATO pathway, the continuous ATO capabilities page provides the full framework.

Discuss software factory implementation for your program →

Frequently Asked Questions

Is a program required to use Platform One's shared services?

Platform One services (GitLab, Iron Bank, Big Bang) are DoD-mandated for programs that can adopt them — the 2023 DoD software modernization strategy emphasizes shared developer platforms. Programs with classified systems above certain IL levels or isolated mission requirements may use equivalent self-hosted implementations. Rutagon builds both Platform One-integrated and self-hosted factory configurations.

How does a software factory reduce ATO timeline?

Traditional ATO relies on point-in-time security assessments — a penetration test and documentation review before authorization. cATO-oriented software factories generate continuous evidence that the system meets its control baseline, replacing the point-in-time assessment with ongoing automated verification. Programs that have operated in a production cATO environment can demonstrate control satisfaction to a new authorizing official in days rather than months by providing the evidence archive.

What is the relationship between Iron Bank and Platform One?

Iron Bank is Platform One's hardened container registry — it's one component of the Platform One ecosystem. Platform One also includes Repo1 (source code management), Party Bus (CI/CD infrastructure), and Big Bang (GitOps application deployment). Programs can use Iron Bank without using all of Platform One, though tighter integration between components provides additional benefits.

How many security gates does a production defense software factory run per commit?

Rutagon's standard factory runs five security gate types per commit: SAST (static analysis), dependency scanning (open source vulnerability), container scanning (base image + application image), DAST (dynamic analysis against staging environment), and secrets detection. Each generates SARIF-format results archived as ATO evidence. High-severity findings break the pipeline — the commit cannot progress to production without remediation or documented risk acceptance.

Can a software factory serve multiple missions or programs?

Multi-tenant software factories are operationally efficient but require careful namespace isolation and access control to prevent cross-program data access. Rutagon implements per-program GitLab groups, per-program container registry namespaces, and per-program Kubernetes namespaces with strict RBAC — enabling a single factory infrastructure to serve multiple programs with strong isolation guarantees.