{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T13:12:34Z","timestamp":1770815554933,"version":"3.50.1"},"reference-count":35,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T00:00:00Z","timestamp":1770681600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Software"],"abstract":"<jats:p>Modern DevSecOps environments face a persistent tension between accelerating deployment velocity and maintaining verifiable compliance with regulatory, security, and internal governance standards. Traditional snapshot-in-time audits and fragmented compliance tooling struggle to capture the dynamic nature of containerized, continuous delivery, often resulting in compliance drift and delayed remediation. This paper introduces the Continuous Compliance Framework (CCF), a data-centric reference architecture that embeds compliance validation directly into CI\/CD pipelines. The framework treats compliance as a first-class, computable system property by combining declarative policies-as-code, standardized evidence collection, and cryptographically verifiable attestations. Central to the approach is a Compliance Data Lakehouse that transforms heterogeneous pipeline artifacts into a queryable, time-indexed compliance data product, enabling audit-ready evidence generation and continuous assurance. The proposed architecture is validated through an end-to-end synthetic microservice implementation. Experimental results demonstrate full policy lifecycle enforcement with a minimal pipeline overhead and sub-second policy evaluation latency. These findings indicate that compliance can be shifted from a post hoc audit activity to an intrinsic, verifiable property of the software delivery process without materially degrading deployment velocity.<\/jats:p>","DOI":"10.3390\/software5010006","type":"journal-article","created":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T09:16:08Z","timestamp":1770801368000},"page":"6","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Integrating Continuous Compliance into DevSecOps Pipelines: A Data Engineering Perspective"],"prefix":"10.3390","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5665-4658","authenticated-orcid":false,"given":"Aleksandr","family":"Zakharchenko","sequence":"first","affiliation":[{"name":"Independent Researcher, Union, NJ 07083, USA"}]}],"member":"1968","published-online":{"date-parts":[[2026,2,10]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Qureshi, J.N., and Farooq, M.S. (2024). ChainAgile: Enhancing agile DevOps using blockchain integration. PLoS ONE, 19.","DOI":"10.1371\/journal.pone.0299324"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Pourmajidi, W., Zhang, L., Steinbacher, J., Erwin, T., and Miranskyy, A. (2025). A Reference Architecture for Governance of Cloud Native Applications. arXiv.","DOI":"10.1109\/TCC.2025.3578557"},{"key":"ref_3","unstructured":"Louren\u00e7o, B., Ad\u00e3o, P., Ferreira, J.F., Marques, M.M., and Vaz, C. (2025). Structuring Security: A Survey of Cybersecurity Ontologies, Semantic Log Processing, and LLM Applications. arXiv."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"31","DOI":"10.70589\/JRTCSE.2024.5.5","article-title":"Securing DevOps Pipelines: Automating Security in DevSecOps Frameworks","volume":"12","author":"Chittala","year":"2024","journal-title":"J. Recent Trends Comput. Sci. Eng."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"75","DOI":"10.2307\/25148625","article-title":"Design Science in Information Systems Research","volume":"28","author":"Hevner","year":"2004","journal-title":"Manag. Inf. Syst. Q."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems (Standard No. ISO\/IEC 27001:2022).","DOI":"10.2307\/j.ctv30qq13d"},{"key":"ref_7","unstructured":"AICPA (2017). SOC 2 Trust Services Criteria, AICPA."},{"key":"ref_8","unstructured":"European Parliament (2016). General Data Protection Regulation (GDPR), European Parliament."},{"key":"ref_9","unstructured":"U.S. Department of Health & Human Services (1996). Health Insurance Portability and Accountability Act (HIPAA), U.S. Department of Health & Human Services."},{"key":"ref_10","unstructured":"PCI Security Standards Council (2022). Payment Card Industry Data Security Standard (PCI-DSS), PCI Security Standards Council."},{"key":"ref_11","unstructured":"NIST (2023). AI Risk Management Framework 1.0, National Institute of Standards and Technology."},{"key":"ref_12","unstructured":"(2023). Information Technology\u2014Artificial Intelligence\u2014Management System (Standard No. ISO\/IEC 42001:2023)."},{"key":"ref_13","unstructured":"IEEE (2024). P3395 Draft Standard for AI Risk Management, IEEE."},{"key":"ref_14","unstructured":"(2026, February 01). Open Policy Agent (OPA). Available online: https:\/\/www.openpolicyagent.org."},{"key":"ref_15","unstructured":"(2026, February 01). Kyverno: Kubernetes Native Policy Management. Available online: https:\/\/kyverno.io."},{"key":"ref_16","unstructured":"(2026, February 01). SLSA: Supply-Chain Levels for Software Artifacts. Available online: https:\/\/slsa.dev."},{"key":"ref_17","unstructured":"(2026, February 01). The Sigstore Project. Available online: https:\/\/sigstore.dev."},{"key":"ref_18","unstructured":"Torres-Arias, S., Afzali, H., Kuppusamy, T.K., Curtmola, R., and Cappos, J. (2019, January 14\u201316). in-toto: Providing Farm-to-Table Guarantees for Bits and Bytes. Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, USA."},{"key":"ref_19","unstructured":"Linux Foundation (2026, February 01). CycloneDX SBOM Standard. Available online: https:\/\/cyclonedx.org."},{"key":"ref_20","unstructured":"OASIS (2022). Static Analysis Results Interchange Format (SARIF), OASIS Open."},{"key":"ref_21","unstructured":"(2026, February 01). dbt Labs Documentation. Available online: https:\/\/getdbt.com."},{"key":"ref_22","unstructured":"(2026, February 01). Great Expectations Documentation. Available online: https:\/\/docs.greatexpectations.io."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Chandramouli, R., Kautz, F., and Torres-Arias, S. (2024). Strategies for the Integration of Software Supply Chain Security in DevSecOps CI\/CD Pipelines (Standard No. NIST SP 800-204D).","DOI":"10.6028\/NIST.SP.800-204D"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"10","DOI":"10.47672\/ejt.2723","article-title":"Security Policy Enforcement and Behavioral Threat Detection in DevSecOps Pipelines","volume":"6","author":"Kamaluddin","year":"2022","journal-title":"Eur. J. Technol."},{"key":"ref_25","unstructured":"LF AI & Data Foundation (2026, February 01). OpenLineage Specification. Available online: https:\/\/openlineage.io."},{"key":"ref_26","unstructured":"Databricks (2026, February 01). What Is a Data Lakehouse?. Available online: https:\/\/databricks.com\/glossary\/data-lakehouse."},{"key":"ref_27","first-page":"1","article-title":"Tracing the Path: Data Lineage and Its Impact on Data Governance","volume":"1","author":"Verma","year":"2024","journal-title":"Int. J. Glob. Innov. Solut."},{"key":"ref_28","first-page":"1","article-title":"Data Lineage and Compliance","volume":"5","author":"Sweet","year":"2016","journal-title":"ISACA J."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Li, Z., Guo, W., Gao, Y., Yang, D., and Kang, L. (2025). A Large Language Model\u2013Based Approach for Data Lineage Parsing. Electronics, 14.","DOI":"10.3390\/electronics14091762"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"28","DOI":"10.14445\/22312803\/IJCTT-V70I1P106","article-title":"The Importance of Data and Analytics Provenance and Governance in the Realm of Datafication","volume":"70","author":"Tyagi","year":"2022","journal-title":"Int. J. Comput. Trends Technol."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"283","DOI":"10.30574\/wjaets.2023.10.1.0265","article-title":"Automated compliance management in hybrid cloud architectures","volume":"10","author":"Adeyinka","year":"2023","journal-title":"World J. Adv. Eng. Technol. Sci."},{"key":"ref_32","first-page":"42","article-title":"Compliance as Code: Automating Compliance in Cloud Systems","volume":"8","author":"Antiya","year":"2020","journal-title":"Int. J. Recent Innov. Trends Comput. Commun."},{"key":"ref_33","unstructured":"Zakharchenko, A. (2026, January 04). Continuous Compliance Framework (CCF) Experimental Pipeline. GitHub Repository. Available online: https:\/\/github.com\/zakhalex\/ccf-experiment."},{"key":"ref_34","unstructured":"Lu, Q., Zhu, L., Xu, X., Whittle, J., Zowghi, D., and Jacquet, A. (2022). Responsible AI Pattern Catalogue: A Collection of Best Practices for AI Governance and Engineering. arXiv."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"3265","DOI":"10.1007\/s43681-024-00653-w","article-title":"AI governance: A systematic literature review","volume":"5","author":"Batool","year":"2025","journal-title":"AI Ethics"}],"container-title":["Software"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2674-113X\/5\/1\/6\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,11]],"date-time":"2026-02-11T10:12:50Z","timestamp":1770804770000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2674-113X\/5\/1\/6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,10]]},"references-count":35,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["software5010006"],"URL":"https:\/\/doi.org\/10.3390\/software5010006","relation":{},"ISSN":["2674-113X"],"issn-type":[{"value":"2674-113X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,10]]}}}