Organizations face mounting pressure to secure not just their applications, but the entire pipeline that builds and delivers them. From compromised build environments to tampered artifacts, the software supply chain has become a primary attack vector. 

That's why we're excited to announce that Endor Labs provides comprehensive native support for the newly announced OWASP Secure Pipeline Verification Standard (SPVS), helping teams implement security controls across all five stages of the software delivery lifecycle.

SPVS exists because most established standards don’t tell you how to prove a modern CI/CD pipeline is secure, end to end:

• ISO 27001 and SOC 2 focus on organization controls
• NIST SSDF and OWASP ASVS guide secure development practices and application security
• SLSA defines supply-chain levels

None of these frameworks provide a prescriptive, stage-by-stage verification checklist for the pipeline itself. SPVS fills that gap with pipeline-scoped, auditable controls mapped to each phase of the software development lifecycle, with maturity tiers and automation-friendly evidence. It complements, rather than replaces, existing frameworks by turning their intent into concrete, testable requirements for runner hardening, artifact integrity, provenance, secret isolation, and release gating. It reduces ambiguity in audits by closing the “last mile” between policy and verifiable practice.

Congrats and thanks to the OWASP project leaders, Farshad Abasi and Cameron Walters, as well as the larger OWASP community for their work developing the project.

Why it matters

Traditional application security focuses on finding vulnerabilities in code. But attackers increasingly target the pipeline itself by compromising build systems, injecting malicious dependencies, or tampering with artifacts before they reach production. Recent high-profile supply chain attacks have demonstrated that securing the development pipeline is just as critical as securing the application.

SPVS addresses this gap by providing a structured approach to pipeline security that spans the entire software delivery lifecycle. It's not enough to scan code for vulnerabilities; organizations need to ensure their build environments are hardened, their artifacts are verifiably intact, and their deployment processes are auditable and compliant.

What is the OWASP Secure Pipeline Verifications Standard (SPVS)?

The Secure Pipeline Verification Standard (SPVS) is a comprehensive framework designed to assess, enhance, and standardize the security maturity of software delivery pipelines. Unlike traditional application security frameworks that focus on the software itself, SPVS addresses the security of the systems that build, test, and deploy that software.

SPVS organizes security controls across the five stages of the software development lifecycle:

‍

The framework also defines three maturity levels—Foundational, Standard, and Advanced—allowing organizations to progressively strengthen security as they mature. Each control maps to established standards including NIST 800-53, the OWASP CI/CD Top 10, and CWE identifiers, making SPVS both actionable for engineering teams and auditable for compliance purposes.

How Endor Labs supports SPVS

Our mission at Endor Labs is to secure your code and everything it depends on: open soure dependencies, containers, AI models, CI/CD pipelines, secrets, etc. That philosophy aligns perfectly with OWASP SPVS. 

Here's how Endor Labs provide coverage across the framework:

Plan

While design reviews and threat modeling happen outside the code, security planning requires reliable telemetry about your software supply chain. This is a critical part of building a continuous feedback loop. Endor  Labs provides:

• Risk identification across code, open source packages, containers, and CI/CD pipelines
• API-first platform so you can integrate that data into planning tools
• Data to support post-mortems and other improvements

Develop

Most security issues are easier to fix during development than after deployment, yet many teams still rely on downstream scanning to catch vulnerabilities. SPVS addresses this by requiring secure coding practices, continuous reviews, and automated security checks that run as developers write code.

Endor Labs helps engineering teams write secure-by-default code by:

• Integrating security directly into code generation to help developers and AI coding agents validate and fix insecure patterns, leaked secrets, and vulnerable dependencies in code with MCP Server.
• Performing security checks (SAST, SCA, Container, Secrets) within developer environments before code is committed.
• Ensuring good credential hygiene by detecting active, exposed secrets pre-commit directly in developer environments
• Assisting code review by detecting business logic flaws, risky changes, and design drift that impacts your security posture with AI Security Code Review.

Integrate

Once code is written, it is integrated into the main codebase. Security is tightly woven into this stage to check artifact integrity, ensure the environment is free from tampering, and security tests are passed. Endor Labs helps:

• Scan, analyze, and mitigate risks in GitHub Actions including across configuration and dependencies used in your CI pipelines
• Detect exposed secrets and credentials in CI/CD pipelines with secrets detection
• Verify and sign artifacts so you can trace the origin of artifacts deployed in production
• Continuously integrate automated security testing and vulnerability scanning into the build and integration pipeline to detect and address issues early with SAST, SCA, container scans, and malware detection
• Discover, assess, and govern AI models used in your applications with automated risk scoring and policy enforcement

Release

The Release stage ensures software is production-ready and securely deployed. It includes final security validations, compliance checks, and approvals in staging or pre-production environments. Endor Labs helps teams:

• Track and manage open source licenses to maintain compliance with organizational standards
• Generate and export an SBOM for compliance reporting and assessments.
• Enforce validation gates with developer-friendly policies

Operate

Once code is deployed to production, it requires ongoing maintenance, monitoring, and protection of the systems. This includes incident response, vulnerability management, and patching for newly identified CVEs in software components. Endor Labs helps teams maintain SLAs and compliance under stringent compliance programs like FedRAMP by: 

• Detecting and responding to newly discovered open source vulnerabilities with security patches, function-level reachability for prioritization, and upgrade impact analysis to assess work
• Integrating with runtime monitoring tools to help correlate and resolve application and container layer risks back to their original source

Getting started

Organizations at any stage of their security maturity journey can benefit from SPVS. Whether you're establishing foundational pipeline security or advancing toward a fully hardened, audit-ready DevSecOps environment, Endor Labs provides the tools to implement SPVS controls at scale.

Start by assessing your current pipeline security posture against the SPVS framework. Identify gaps in artifact integrity, build environment protection, and compliance validation. Then leverage Endor Labs to automate security controls, enforce policies, and generate the evidence needed for audits and compliance reviews.

Contact us if you’d like to schedule a demo and discuss how Endor Labs can help you implement the OWASP Secure Pipeline Verification Standard (SPVS) in your organization.