English

Intent-Aware Authorization for Zero Trust CI/CD

Cryptography and Security 2025-04-22 v1 Software Engineering

Abstract

This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system builds on SPIFFE-based workload identity and credential brokers, and enables fine-grained, auditable authorization. This is the third paper in a series on Zero Trust CI/CD design patterns.

Cite

@article{arxiv.2504.14777,
  title  = {Intent-Aware Authorization for Zero Trust CI/CD},
  author = {Surya Teja Avirneni},
  journal= {arXiv preprint arXiv:2504.14777},
  year   = {2025}
}

Comments

13 pages. Originally authored in Dec 2024. Third paper in a three-part series on Zero Trust CI/CD and Workload Identity. Expands on SPIFFE-based authentication and credential brokers with policy-based, intent-aware authorization patterns using OPA and Cedar

R2 v1 2026-06-28T23:05:00.889Z