Your team added container scanning to the CI/CD pipeline six months ago. Is that good? Compared to what? Where are you relative to teams doing this well, and what should you be working on next?
Without a maturity model, security investment in CI/CD feels like guesswork. Here is the framework.
Why Maturity Models Matter for CI/CD Security?
Security maturity models exist because “secure” is not a binary state. You cannot be secure or insecure. You can be more mature or less mature, with a clear progression that defines what comes next.
For CI/CD container security specifically, the maturity progression is not well-documented. There are CIS benchmarks for containers and SLSA for supply chain, but no widely accepted maturity model for the build pipeline security practices that sit between them.
This is that model.
“Teams without a maturity framework spend their security budget on whatever the last vendor demo showed them. Teams with a framework spend it on the next level of capability.”
The Five-Level CI/CD Container Security Maturity Model
Level 1: No Automated Scanning
Characteristics: No scanner in the CI/CD pipeline. Security assessment happens ad-hoc, manually, or via external pen testing on a periodic basis.
Risk profile: Unknown CVE exposure in all images. Vulnerabilities accumulate until manually discovered.
Next step: Add a container scanner to your build pipeline. Any scanner. Start there.
Level 2: Scanning with Reporting
Characteristics: A container scanner runs in the pipeline and produces reports. No gate is enforced. Findings go to a security dashboard or are emailed to a distribution list.
Risk profile: Known CVE exposure, but no enforcement prevents vulnerable images from shipping. Reports are often ignored.
Next step: Establish a CVE gate. Start with Critical-severity only to avoid breaking too many builds immediately.
Level 3: Enforced CVE Gates
Characteristics: The pipeline blocks builds or deployments that exceed a defined CVE severity threshold. Engineers must remediate or get exceptions approved.
Risk profile: Significantly reduced. Vulnerable images must overcome a friction barrier before shipping.
Limitation: High false positive rate if gate is applied to pre-hardening counts. Teams may set thresholds too high to be meaningful.
Next step: Integrate automated hardening before the gate check. Apply the gate to post-hardening CVE counts.
Container security software with automated hardening capabilities moves you from Level 3 to Level 4.
Level 4: Automated Remediation in Pipeline
Characteristics: The pipeline automatically hardens images before applying the CVE gate. Unused components are removed automatically. The gate blocks only on residual CVEs in active code paths.
Risk profile: Substantially lower. The most common CVE category (unused components) is handled automatically. Engineers focus on the harder remediation cases.
Indicator metric: Track CVE reduction percentage between pre-hardening and post-hardening scan results. Mature Level 4 implementations typically achieve 60-90% reduction.
Next step: Add image signing, attestations, and runtime behavioral profiling.
Container image security with attestation capabilities completes this layer.
Level 5: Full Supply Chain Security with Runtime Monitoring
Characteristics: Images are signed and attested at every pipeline stage. Admission controllers verify signatures and attestations before any pod starts. Runtime monitoring compares observed behavior to expected profiles. Drift from profile triggers investigation.
Risk profile: Minimal. Pre-deployment attack surface is systematically reduced. Post-deployment anomalies are detected in near-real-time.
Indicator metrics: Image signing coverage, attestation completeness, runtime anomaly detection rate, mean time to detection for behavioral deviations.
Where Most Organizations Are?
Based on current practice, the distribution is roughly:
- Level 1: ~20% of organizations (no scanning)
- Level 2: ~40% (scanning with reporting only)
- Level 3: ~30% (enforced gates)
- Level 4: ~8% (automated remediation)
- Level 5: ~2% (full supply chain security)
The Level 2-to-3 transition is where most security investment is currently focused. The Level 3-to-4 transition — adding automated remediation — is the step that produces the most measurable risk reduction for the effort invested.
Frequently Asked Questions
What are the maturity levels for CI/CD container security?
The five-level CI/CD container security maturity model progresses from Level 1 (no automated scanning) through Level 2 (scanning with reporting only), Level 3 (enforced CVE gates), Level 4 (automated remediation in the pipeline), and Level 5 (full supply chain security with runtime monitoring). Most organizations currently operate at Level 2 or 3. The Level 3-to-4 transition — adding automated hardening before the security gate — produces the most measurable risk reduction per unit of investment.
How do you benchmark CI/CD security maturity for container build pipelines?
Assess your pipeline against the five-level model: identify whether you have scanning, whether it is enforced via a gate, whether automated hardening runs before the gate, and whether you have image signing, attestations, and runtime behavioral monitoring. The Level 4 indicator metric — CVE reduction percentage between pre-hardening and post-hardening scans — should show 60-90% reduction in mature implementations. About 8% of organizations have reached Level 4 and only 2% have reached Level 5.
Why should security gates be applied after automated hardening?
Applying a CVE gate to pre-hardening image counts produces high false positive rates because typical container images contain hundreds of CVEs in packages the application never uses. Teams respond by setting thresholds too high to be meaningful or disabling enforcement entirely. Running automated hardening first removes 60-90% of CVEs from unused components, making post-hardening gate thresholds achievable with reasonable security hygiene and ensuring the gate reflects actual exploitability risk.
What comes after enforced CVE gates in container pipeline security?
Level 4 adds automated image hardening before the security gate, so unused-component CVEs are removed automatically and human remediation focuses on the harder cases in active code paths. Level 5 extends this with image signing and attestations at every pipeline stage, admission controllers that verify both signatures and attestations before pod creation, and runtime behavioral monitoring that detects anomalies against expected execution profiles.
Using the Model to Prioritize Investment
Assess your current level honestly. Then invest in the next level up, not the highest level available.
Jumping from Level 2 to Level 5 does not work. You need the intermediate capabilities as a foundation. Teams that implement Level 5 runtime monitoring before Level 3 gate enforcement are monitoring for runtime anomalies in images they have never scanned.
Build the foundation. Move one level at a time. Measure the metrics at each level to confirm the transition is complete before moving to the next.
The teams operating at Level 4 and 5 are not spending more on security than teams at Level 2. They are spending it differently, with the foundation that makes each investment effective.
