Governance, Risk and Compliance in DevOps Delivery Pipeline

With excerpts from DevOps Automated Governance Reference Architecture from IT Revolution.





Why there is a need of automatic governance in DevOps Delivery Pipeline?

  1. Organizations are adopting DevOps practices for faster releases and improved customer experience they need to ensure that all aspects of your deployment pipeline are protected as delivery velocity increases?

  2. It is important to design and implement automated governance throughout the delivery pipeline

  3. Goal is to create trust within the process of delivering software and services

  4. Governance uses controls (Detective, Corrective, Preventive) to mitigate specific risks

Governance, Risk and Compliance (GRC) solutions are supposed to assist by providing a way to report whether expectations are met and within meaning business context

What are the characteristics of better pipelines?

  1. High quality meaning no security flaws, in compliance, minimum defects, etc.

  2. Working meaning end to end it really works for all parties, that it’s been tested, and all dependencies are satisfied.

  3. Faster meaning as soon as possible without sacrificing quality.

What are control points (gates) in Delivery Pipeline?


  1. Control points are a form of both metadata and evidence for actions taken during the development, production, and promotion processes.

  2. These control points should be defined at every phase of continuous integration and preserved in logs from the build or logs from how an artifact was built.

  3. Control points are a form of both metadata and evidence for actions taken during the development, production, and promotion processes.

  4. In governance there should be a pair of control and attestation: For e.g. Control is Unit Test, Attestation is all unit tests executed and passed.

Few of the common control points or design principles are:

  • Source code version control

  • Optimum branching strategy

  • Static analysis

  • >80% code coverage

  • Vulnerability scan

  • Open source scan

  • Artifact version control

  • Auto provisioning

  • Immutable servers

  • Integration testing

  • Performance testing

  • Build deploy testing automated for every commit

  • Automated rollback

  • Automated change order

  • Zero downtime release

  • Feature toggle


Automated governance reference framework across delivery pipeline


Example: Universal Metadata API


In this example we assume the software delivery pipeline uses following practices:

  • development for a microservice application with a Java component

  • trunk-based development

  • container-based application with Kubernetes for container orchestration and deployment

  • continuous release of application deployment with a canary release strategy

Here, we provide an example framework on how to capture universal metadata. This example uses an API framework to capture and store the attestations. The attestation model utilized consists of two parts: notes and occurrences. A note is an abstract view of a piece of metadata. Each note will represent a control (such as a pull request, peer review, etc.).


Ref: DevOps Automated Governance Reference Architecture from IT Revolution.

189 views0 comments

Recent Posts

See All