What is the Deployment Chain?
The deployment chain is the complete path that code follows from a developer's repository to a running, potentially internet-exposed service. In a modern cloud-native environment, this chain typically looks like:
Typical deployment chain
1. Source code repository — GitHub, GitLab, Bitbucket
2. Build pipeline — GitHub Actions, Jenkins, GitLab CI, CircleCI
3. Container image — Docker image pushed to ECR, GCR, Docker Hub
4. Runtime service — Kubernetes deployment, ECS task, Lambda function
5. Network exposure — Load balancer, API gateway, CDN, direct IP
6. Internet exposure — Publicly reachable endpoint
Each link in this chain is a relationship that matters for security. A vulnerability in source code is a different risk depending on whether the code was built, whether the build produced a deployed container, whether the container is running in production, and whether the service is internet-facing.
Why Most Security Tools Lack Deployment Context
Traditional security scanners operate at a single point in the deployment chain:
- SAST scans source code — but does not know if the code is built or deployed
- SCA scans dependencies — but does not know if the dependency is in a deployed artifact
- Container scanners scan images — but do not know which images are running in production
- Cloud security tools scan infrastructure — but do not trace findings back to the code that created them
None of these tools, on their own, can answer the question: "Is this vulnerability actually running in a production service that is exposed to the internet?"
This is the gap that deployment chain mapping fills. By mapping the relationships between all of these systems, an ASPM platform can provide the deployment context that individual scanners cannot.
How VigilChain Maps the Deployment Chain
VigilChain connects to your source control, CI/CD, container registries, orchestration platforms, and cloud providers to automatically discover and maintain the deployment chain. This is not a one-time import — the chain is continuously updated as your environment changes.
- Connect sources — VigilChain integrates with your repositories, CI/CD pipelines, container registries, Kubernetes clusters, and cloud accounts.
- Discover relationships — The platform automatically maps which repositories produce which builds, which builds produce which images, which images are deployed to which services, and which services are exposed to the internet.
- Maintain the chain — As new deployments occur, new services are created, or exposure changes, the deployment chain is updated automatically.
- Enrich findings — Every security finding from every scanner is placed on the deployment chain, giving it the context needed for accurate prioritization.
What Deployment Chain Mapping Enables
Once the deployment chain is mapped, several capabilities become possible:
- Deployment-aware prioritization — Findings in deployed, internet-exposed services are automatically elevated. Findings in undeployed code are deprioritized. Learn more about vulnerability prioritization.
- Bidirectional traceability — Trace forward from code to deployment, or backward from an exposed service to the responsible team and repository.
- Blast radius analysis — When a new CVE is disclosed, immediately identify which deployed services are affected and whether they are internet-facing.
- Ownership routing — Automatically route findings to the team that owns the affected repository and service, rather than dumping all findings on a central security team.
- Compliance reporting — Report on security posture by service, environment, and exposure level — giving executives visibility into where risk actually lives.
Get Started
VigilChain maps your deployment chain automatically. Connect your sources, and within minutes you will see the full path from code to cloud for every application in your environment.
Explore the full platform or request early access to see deployment chain mapping in action.