PipelineConductor is a multi-repo CI/CD pipeline orchestration and compliance system designed to manage 600+ repositories across multiple GitHub organizations. It provides centralized policy enforcement, automated compliance scanning, and remediation capabilities through automated pull requests.
Organizations with hundreds of repositories face significant challenges:
- Inconsistent CI/CD: Each repo has snowflake pipelines with duplicated logic
- Policy drift: Security and compliance requirements are inconsistently applied
- Manual overhead: Keeping pipelines synchronized requires constant manual effort
- Scaling pain: Adding new languages, tools, or requirements means touching every repo
- Audit complexity: No centralized view of compliance status across repos
PipelineConductor implements a three-layer architecture:
- Policy & Orchestration (org-wide): Centralized policy definitions and compliance rules
- Reusable Workflows (language/stack specific): Shared CI/CD building blocks
- Thin Repo-Level Config: Minimal YAML (~15 lines) with no logic
"Repos describe what they are. Org CI decides how they're built. Security lives centrally."
If repos contain CI logic, the architecture has failed.
| User | Needs |
|---|---|
| Platform Engineers | Manage CI/CD at scale, enforce consistency |
| Security Teams | Ensure compliance, audit policy adherence |
| Developers | Simple onboarding, minimal CI maintenance |
| DevOps/SRE | Reliable builds, predictable pipelines |
- Scan repositories across multiple GitHub organizations
- Support scheduled scans (weekly/monthly) and on-demand execution
- API-first discovery with selective git inspection
- Generate compliance reports (JSON, SARIF, Markdown, CSV)
- Define CI/CD policies using Cedar policy language
- Support policy profiles (default, modern, legacy)
- Evaluate policies against collected repository context
- Provide clear allow/deny decisions with explanations
- Generate pull requests to fix policy violations
- Support dry-run mode for preview
- Batch remediation across multiple repos
- Track remediation status and outcomes
- Multi-platform builds: macOS, Ubuntu, Windows
- Multi-version Go matrix: 1.24, 1.25 (configurable)
- Legacy Go support (1.12+) via profiles
- Integration with golangci-lint, go test, go build
- Support Mend Renovate for consolidated PRs
- Policy-based auto-merge (tests pass, dependency age threshold)
- Vulnerability scanning integration
- Dependency freshness tracking
- Compliance dashboard data (JSON output)
- SARIF output for GitHub Security tab integration
- Historical tracking of compliance status
- Exception/waiver tracking
- Handle 600+ repositories
- Support multiple GitHub organizations
- Efficient API usage with rate limiting awareness
- Language-agnostic core architecture
- Pluggable collectors (GitHub, GitLab)
- Extensible policy framework
- Read-only operations by default
- Explicit opt-in for remediation PRs
- No secrets in policy definitions
- Audit trail for all actions
- Simple CLI interface
- GitHub Actions integration
- Minimal configuration for repos
- Clear error messages and remediation guidance
| Metric | Target |
|---|---|
| Repos with compliant CI | >95% |
| Average policy evaluation time | <30s per repo |
| Automated remediation success rate | >90% |
| Time to onboard new repo | <5 minutes |
| Policy change rollout time | <1 hour org-wide |
- Must work with GitHub Actions (GitLab support later)
- Cedar policy language (not OPA/Rego for CI/CD)
- Go as primary implementation language
- Open source platform, policies can be public or private
- Kubernetes/infrastructure policy (use OPA for that)
- Real-time pipeline blocking (advisory mode first)
- Non-GitHub platforms (GitLab in future)
- Languages other than Go (Phase 2+)
- cedar-go - Cedar policy evaluation
- GitHub API v4 (GraphQL) and v3 (REST)
- GitHub Actions for execution environment
| Term | Definition |
|---|---|
| Profile | Named configuration for CI matrix (Go versions, OS platforms) |
| Policy | Cedar rule defining allowed/denied CI actions |
| Collector | Component that gathers repo metadata from APIs |
| Remediator | Component that generates fix PRs |
| Context | Structured data about a repo passed to Cedar for evaluation |