Engineering DevSecOps for Air-Gapped Networks
Marcus Reyes
Principal Engineer
The constraint that shapes everything
An air-gapped network has no path to the public internet. No npm install from
the outside. No pulling a base image at build time. No reaching a SaaS scanner.
Most DevSecOps tooling quietly assumes connectivity. Removing that assumption is the entire engineering problem.
Deterministic mirroring
Narsil resolves every dependency, base image, and scanner database outside the boundary, then transfers a signed, content-addressed bundle across the gap.
- Resolve the full dependency closure on the connected side.
- Sign and hash every artifact.
- Transfer the bundle through the accredited one-way path.
- Verify signatures on the disconnected side before anything runs.
mirror:
closure: lockfile
sign: cosign
transfer: one-way-diode
verify: strict
Why determinism matters
If a build is not reproducible, you cannot prove what is running inside the enclave. Determinism is therefore not a nicety — it is the foundation of the audit trail. The same inputs must always produce the same, verifiable outputs.
Operating without a safety net
Inside the gap there is no vendor to call and no telemetry leaving the network. The platform must be self-describing: every decision it makes is logged, attributable, and reviewable by the operators who own the mission.
The result
A disconnected enclave that nonetheless feels modern — fast pipelines, automated hardening, and continuous evidence — without a single packet crossing the boundary uninspected.