Compliance says you can’t touch production without an approved ServiceNow ticket. It’s a non-negotiable rule, so most "automated" pipelines do exactly what you’d expect: they stop.
The pipeline sends an email to a release manager and waits. It waits for a human to log into a browser, find the right ticket, check the "State" field, and manually click "Proceed" in the pipeline. At that point, your high-speed automation highway has essentially become a manual toll booth. Your engineers aren't building software anymore; they’re acting as human API pollers.
The Problem with "Hero" Scripts
When teams get tired of clicking the button, they usually try to script their way out of it. One person spends three weeks building a 200-line Bash script filled with complex curl commands and jq logic to handle OAuth tokens and parse JSON.
It works—until it doesn't. Because only one person understands how that "Frankenstein" script works, it becomes a technical debt time bomb. If that person goes on vacation and the script breaks, the team goes right back to clicking the manual button. Brittle scripts aren't automation; they’re just another thing to maintain.
The Solution: Declarative Policy Gates
The better way to handle compliance isn't through complex scripts, but through simple, declarative policies. Instead of writing how to talk to ServiceNow, you should just define what the pipeline needs to see to move forward.
By using a configuration file instead of a script, you turn a complex task into a readable contract that everyone on the team can understand.
The CI/CD Example: Imagine a file in your repo called check-ticket.gate.json. Instead of code, it contains the "rules" for the deployment:
-
The Target: Use the standard ServiceNow API.
-
The Credentials: Use the "ServiceNow" secret from the vault.
-
The Success Criteria: If the
statefield equals "Approved," pass. -
The Failure Criteria: If the
stateis "Rejected," fail. -
The Default: If it’s "Pending," just pause and check again in five minutes.
Why This Works
When you move from imperative scripts to declarative gates, you change the dynamic of the team:
-
It’s readable: Anyone can look at the JSON file and understand exactly why a deployment is blocked.
-
It’s version-controlled: Changes to the approval policy are tracked in Git, just like your application code.
-
It’s auditable: The pipeline logs provide an immutable record. You don't have to hunt through emails to prove a ticket was approved; the log proves the pipeline was physically incapable of deploying without it.
This is how you bridge the gap between DevOps and compliance. You don't need more meetings or more manual checklists. You just need to teach your pipeline to speak the language of the business through a clear, automated contract.