Governance, Risk and Compliance in DevOps Delivery Pipeline
With excerpts from DevOps Automated Governance Reference Architecture from IT Revolution.
Why there is a need of automatic governance in DevOps Delivery Pipeline?
Organizations are adopting DevOps practices for faster releases and improved customer experience they need to ensure that all aspects of your deployment pipeline are protected as delivery velocity increases?
It is important to design and implement automated governance throughout the delivery pipeline
Goal is to create trust within the process of delivering software and services
Governance uses controls (Detective, Corrective, Preventive) to mitigate specific risks
Governance, Risk and Compliance (GRC) solutions are supposed to assist by providing a way to report whether expectations are met and within meaning business context
What are the characteristics of better pipelines?
High quality meaning no security flaws, in compliance, minimum defects, etc.
Working meaning end to end it really works for all parties, that it’s been tested, and all dependencies are satisfied.
Faster meaning as soon as possible without sacrificing quality.
What are control points (gates) in Delivery Pipeline?
Control points are a form of both metadata and evidence for actions taken during the development, production, and promotion processes.
These control points should be defined at every phase of continuous integration and preserved in logs from the build or logs from how an artifact was built.
Control points are a form of both metadata and evidence for actions taken during the development, production, and promotion processes.
In governance there should be a pair of control and attestation: For e.g. Control is Unit Test, Attestation is all unit tests executed and passed.
Few of the common control points or design principles are:
Source code version control
Optimum branching strategy
Static analysis
>80% code coverage
Vulnerability scan
Open source scan
Artifact version control
Auto provisioning
Immutable servers
Integration testing
Performance testing
Build deploy testing automated for every commit
Automated rollback
Automated change order
Zero downtime release
Feature toggle
Automated governance reference framework across delivery pipeline
Example: Universal Metadata API
In this example we assume the software delivery pipeline uses following practices:
development for a microservice application with a Java component
trunk-based development
container-based application with Kubernetes for container orchestration and deployment
continuous release of application deployment with a canary release strategy
Here, we provide an example framework on how to capture universal metadata. This example uses an API framework to capture and store the attestations. The attestation model utilized consists of two parts: notes and occurrences. A note is an abstract view of a piece of metadata. Each note will represent a control (such as a pull request, peer review, etc.).
Ref: DevOps Automated Governance Reference Architecture from IT Revolution.