Skip to main content
Last reviewed: March 5, 2026 Owner: Security + Engineering Review cadence: Quarterly Status: Implemented This page covers the engineering controls Tero applies before changes reach production.

Reviewer focus

  • How code changes are reviewed and validated
  • How dependency and secret risks are managed in CI and deployment workflows
  • How production changes are controlled and rolled back when needed

Implementation status (March 5, 2026)

Tero uses reviewed change workflows, automated checks, and controlled deployment paths.

SDLC control baseline

ControlImplementation
Code reviewTero requires peer review before merge
CI checksTero requires automated checks before merge and deploy
TestingAutomated tests run in CI workflows
Dependency riskVulnerability scanning in development and security workflows
Secrets hygieneTero manages secrets in dedicated secret systems
Deployment controlControlled CI/CD paths and environment controls

Change management expectations

  • Tero reviews changes before merge.
  • Production-impacting changes follow controlled rollout behavior.
  • Tero rolls back failed deploys and tracks post-incident fixes to completion.

Hosted vs self-hosted boundary

AreaTero-hostedSelf-hosted
Product SDLC controlsTeroTero
Runtime deployment controlsTero-operatedCustomer-operated runtime
Infrastructure patching controlsTero-operatedCustomer-operated

Evidence you can request

TopicPrimary evidence
Runtime and architecture boundariesSecurity Architecture
Access and secret handlingIdentity and Access, Encryption and Key Management
Assurance postureCompliance and Assurance

Exceptions and governance

Any SDLC control exception requires documented approval, compensating controls, and remediation timing. Evidence requests: