Improving Product Reliability by Imposing Constraints as a Part of CI/CD Process
Article Summary
Revolut built a system that automatically blocks code deployments based on security risk and bug count. Here's how they shifted security left without slowing down 165,000+ pull requests.
Revolut's AppSec team created DARC (Dynamic Application Risk Calculator), a platform that calculates risk scores using weighted formulas and blocks PRs when thresholds are exceeded. The system integrates with their existing Security Drone scanner and multiple internal data sources.
Key Takeaways
- DARC evaluates 165,670 PRs in 2 months, blocking 1,832 automatically in ~5 seconds
- Risk score uses weighted arithmetic mean across 7 factors: data sensitivity, exposure, CIA triad
- Only 1% of applications now exceed risk threshold; open bugs decreased 31%
- Emergency derogation mechanism lets authorized engineers bypass blocks with full audit trail
- Two blocking modes: risk based (per application) and bugs based (per team)
Revolut reduced their at-risk applications to 1% and cut open bugs by 31% using automated PR blocking tied to dynamic risk calculations.
About This Article
Revolut's security data was scattered across multiple scanners (SAST, SCA, DAST, IaC) from different vendors. This made it hard to pull findings together in one place and calculate consistent risk scores without doing a lot of manual work.
Pedro Moura's team built DARC using a weighted arithmetic mean formula. It connects Risk Factor Vulnerability (RFV) from CVSS scores with Risk Factor Context (RFC), which covers five contextual dimensions. This lets them add new scanners and attributes without friction.
The model produces scores on a 0 to 100 scale with clear cutoffs: 0-50 passes, 50-75 triggers a warning, 75-100 blocks the change. DARC can evaluate pull requests in about 5 seconds. Within weeks of going live, it brought the number of applications exceeding risk thresholds down to just 1%.