Looking for Guidance for PCI Compliance.
We are currently moving to getting a ci\cd pipeline running on Gitlab.
Our current set up is we have a non production and a production environment on separate networks.
This reduces the area that is under PCI to just the Production network as this is the only place card holder data is present.
We get a deployment to production by the following:
Commit code to git
This kicks off current build of artifacts via cruise control
In non production we deploy this via scripts, which have access to artifacts
For production we make the artifacts available to production by pushing to SFTP server and run script on production jump server to deploy
We are now working to moving to use Gitlab where:
Gitlab running in non prod environment
Gitlab registry running in non prod environment with docker images stored in file system for now, eventlually to something like s3
GitLab runner running in non prod environment
Our issue is for the cd part we need to push images to production boxes and run docker commands(docker run). This results in our non production environment (via runner running pipeline) to have access to production which we never required.
Any guidance on how to avoid this and keep our production environment as restricted as possible. I presume lots of companies want to keep production restricted and how do they achieve this?