CI/CD for Regulated Customers

Act as a principal engineer. Define a CI/CD pipeline that satisfies SOC 2 and ISO 27001 concerns: branch policies, required reviews, SBOM generation, dependency scanning, SAST/DAST, signing and provenance (SLSA), environment promotion gates, and rollback strategy with change logs.