CI/CD Technical Due Diligence

Pipeline Maturity and Deployment Velocity

Deployment frequency is the headline metric. Teams that deploy daily operate differently than teams that deploy monthly. Daily deployers have automated pipelines, comprehensive tests, and confidence in their process. Monthly deployers have manual steps, fear of deployment, and a backlog of changes bundled into risky releases.

We measure all four DORA metrics: deployment frequency, lead time for changes, change failure rate, and time to recovery. These correlate directly with business outcomes. High-performing teams ship features faster, break things less often, and recover quicker when they do. The metrics reveal whether the engineering organization is an accelerator or a bottleneck.

Beyond metrics, we evaluate the pipeline architecture. Is it maintainable? Are configurations DRY or copy-pasted? Can new services onboard quickly? Is the pipeline infrastructure itself reliable, or is it a source of flakiness and delays?

Where Delivery Pipelines Break Down

The biggest risk in CI/CD due diligence: teams that ship manually. No pipeline, or a pipeline that’s bypassed for “urgent” changes. Manual deployment means no audit trail, no reproducibility, and no guarantee that what’s in production matches what’s in version control. This is a red flag for operational maturity.

Testing gaps are quantified by coverage type. Unit tests alone miss integration failures. Integration tests without end-to-end tests miss user-facing bugs. No tests at all means every deployment is a gamble. We assess not just coverage percentages but test quality - fast, reliable tests that catch real bugs versus slow, flaky tests that nobody trusts.

Environment management reveals scaling readiness. Can the team create new environments on demand? Are environments consistent with production? Is data management handled for staging environments? These capabilities matter when the team needs to grow velocity post-acquisition.

Your CI/CD Maturity Scorecard

The report includes a CI/CD maturity score across dimensions: build automation, test coverage, deployment strategy, environment management, and operational practices. Each dimension is rated with specific findings and remediation recommendations.

We project the impact of improvements on delivery velocity. “Reducing build time from 20 minutes to 5 minutes increases available deployment windows by 4x.” “Adding automated rollback reduces mean time to recovery from hours to minutes.” These projections help investors and acquirers quantify the value of pipeline improvements in business terms.

Build Pipeline Attack Surface and Dependency Integrity

We also assess the security posture of the CI/CD pipeline itself. Build pipelines are a high-value attack target because they have access to production credentials, signing keys, and deployment infrastructure. We review secret injection methods, checking whether credentials are stored as plain-text environment variables or managed through a dedicated secrets backend. Dependency pinning is evaluated across the build chain: are container base images tagged to digests, are GitHub Actions pinned to commit SHAs, and are package lock files committed and enforced? We check for artifact provenance, verifying that deployed binaries can be traced back to a specific commit and build. Pipeline permissions are audited to ensure jobs run with the minimum privileges necessary, and branch protection rules are verified to prevent unauthorized merges that bypass the CI gate.