Hi all,
How are others handling compliance controls that require pull request review requirements for GitOps manifest repos?
We're targeting SOC2 Type II/USDP frameworks and recently adopted a GitOps delivery model (Flux) where our GitOps repo contains only deployment manifests and no application code. We have a recurring finding we're looking for community input on.
Our setup:
Staging releases are automated end-to-end, which means the manifest PR in the GitOps repo is auto-merged without a human reviewer. This trips a Vanta finding we have to manually dismiss each time.
Production releases require a human to manually merge the PR, which effectively acts as the approval gate - but there's no formal "reviewer" assigned prior to merge.
The Git history of the repo serves as a full audit trail: every deployment is recorded with what was shipped, when, and who merged it.
The core tension: Compliance controls are checking for PR reviewers, but our approval model is process-based (staging is gated by passing production before it matters; prod is gated by the merge action itself). The repo isn't a place where code is written - it's a manifest of what's already been reviewed and approved upstream in application repos.
Questions for the community:
Are others in a similar GitOps setup, and how are you handling this finding - dismissing repeatedly, adjusting the control, or restructuring your workflow?
Has anyone successfully made the case to auditors that Git history alone satisfies the change management intent behind this control?
Are folks excluding these gitops repos from Vanta?
Appreciate any input from teams who've worked through this.
