For CloudFormation CI CD in GitLab, you can put security and compliance checks early in the pipeline so they run before any stack update. The common tools used in AWS projects are cfn-lint for template validation, cfn-nag for insecure IAM or public resources and Checkov when you want deeper policy checks. If you need Compliance as Code, CloudFormation Guard or OPA works well and both fit easily into GitLab jobs.

A simple pipeline is validate, security scan, compliance rules, version bump and then deploy to a test stack. Many teams also bring in devsecops services when they need custom rule sets, but the tools above are enough for most CloudFormation workflows