Ops — Production Security Posture Monitoring
BleedWatch Ops monitors your production services for security posture drift. It connects to your GitHub repositories via the BleedWatch GitHub App and runs 45+ automated security checks across five categories.
How Ops Works
- Connect a service — Select a GitHub repository linked to a production service
- Initial scan — Ops runs all 45+ checks against your repo
- Score calculation — Each service receives a security score (0–100)
- Continuous monitoring — Ops detects drift when check statuses change between scans
- Alerting — Get notified when security regressions are detected
Security Check Categories
CI/CD Security
Validates GitHub Actions workflows for pinned actions, least-privilege permissions, secret handling, and dangerous patterns like pull_request_target with checkout.
Container Security
Analyzes Dockerfiles for non-root users, multi-stage builds, health checks, image pinning, and .dockerignore presence. Also checks Docker Compose for read-only filesystems and resource limits.
Secret Management
Detects hardcoded secrets, validates .gitignore coverage for sensitive files (.env, credentials, key files), and checks for secret scanning configuration.
Dependency Management
Checks for lock file presence, Dependabot/Renovate configuration, and dependency update policies.
Code Quality
Validates linter configuration, test presence, and branch protection rules.
Security Score
Each service receives a score from 0 to 100:
| Grade | Score Range | Meaning |
|---|---|---|
| A | 90–100 | Excellent security posture |
| B | 75–89 | Good, minor improvements needed |
| C | 60–74 | Fair, several gaps to address |
| D | 40–59 | Poor, significant risks |
| F | 0–39 | Critical, immediate action needed |
Checks are weighted by severity: critical checks contribute more to the score than informational ones.
Drift Detection
Ops tracks check status changes between scans and generates drift events:
- Regression — A check that was passing now fails (e.g., someone removed a security header)
- Improvement — A failing check now passes
- Flap — A check oscillates between pass and fail
Drift events are correlated with the Git commit that introduced the change.
DORA Metrics
Ops calculates four DORA (DevOps Research and Assessment) metrics per service:
- Deployment Frequency — How often code is deployed to production
- Lead Time for Changes — Time from commit to production deployment
- Change Failure Rate — Percentage of deployments causing incidents
- Mean Time to Recovery (MTTR) — Average time to recover from failures
CRA Compliance
For services marked as CRA-applicable (EU Cyber Resilience Act), Ops maps check results to CRA Annex I requirements and generates compliance evidence for audit purposes.
Getting Started
- Navigate to Ops in the dashboard sidebar
- Click Add Service
- Select a GitHub repository from your connected installations
- Ops will run its first scan automatically
Ops works best with repositories that have CI/CD pipelines (GitHub Actions), Dockerfiles, and standard project configuration files.