The evolution of DevOps started with the Continuous Integration (CI) and Continuous Deployment (CD) pipeline, aimed at automating and integrating continuous monitoring into the software development lifecycle. It coordinates the streaming of the source code to the production environment, which is carried out through brief cycles of building, testing, deployment, and release. CI, which is part of DevOps, forms the initial stage that enhances the reliability of the code. Here, the initial code building and testing are performed. The CI facilitates the early detection and elimination of bugs in the code. The tests ensure the functionality of the code in various environments hence end-to-end efficiency can be achieved. This is followed by CD, wherein the code is released. The integration and automation ensure the frequent release of high-quality software by reducing the odds of human errors.
How are CI and CD achieved?
CI and CD constitute an automated cycle of build, package, test, and deploy. CI can be achieved using automation tools such as Jenkins. The basic CI and CD pipeline process are as follows:
- Source - an initial stage that accounts for code commit and version control. GIT tool is used for this.
- Build - when a code is committed, an automated build and test are activated by the CI server. The build is employed by combining the source code and its associated dependencies to a runnable instance for deployment. This stage reflects the underlying concerns of the source code. Maven or Gradle tools are used at this stage.
- Test - reflects on the quality and validates the behaviour of the software. Junit testing, which is a unit testing framework is carried out here.
- Deploy - successful build and test will trigger the deployment process where the application is deployed to its environment.
How is DevOps evolving into DevSecOps?
With the constant evolvement in technology and its needs, it’s essential to restructure the software development lifecycle through effective continuous integration and a continuous deployment pipeline. An efficient CI and CD call for continuous improvement in practices which align with shifts in business needs. The basic pipeline can be enhanced with feedback, security, and continuous monitoring standpoint. These perspectives will provide visibility on the quality and behaviour of the code and hence, facilitate impeccable release to the production.
To accomplish the above, testing is carried out at the early stages of the development cycle. The left shift approach is essential in DevOps. It carries out static code analysis (SCA), static application security testing (SAST) and dynamic application security testing (DAST) before deployment. This enables early identification and eradication of the problem. Several tools are present as plugins for Jenkins to meet these requirements. This section covers an overview of how the pipelines can be enhanced based on business requirements.
Code Review
Code review is a continuous inspection process, where the quality of the code is assessed in its non-runtime environment. It is an element of static code analysis. The code along with the associated security vulnerabilities are scrutinised. This analysis reflects the part of the code that can be optimised. The quality check is carried out at an early stage, before the build process.
To enable continuous inspection, SonarQube is integrated with Jenkins as a sonar scanner plugin. SonarQube analyses the source code and provides a quality gate report. The progression of the pipeline is dependent on this quality gate report. In this way, the efficiency of the code can be conserved. The following diagram shows the integration of the static code analysis factor in the pipeline.
Securing DevOps CI/CD Pipeline
With the increase in security breaches and vulnerabilities, it’s important to take measures that ensure a secure software development lifecycle. Security in a CI and CD pipeline is instilled through continuous security validation and monitoring. Security validation through security tools can be carried out at each step in the development process. Testing forms an essential part of ensuring quality software. Application Security Testing (AST), which identifies security threats in the source code, is carried out for this. Two types of security testing - SAST and DAST along with static code analysis is performed. SAST tools account for the source code and its works in the non-runtime environment. SAST tools such as SonarQube, CheckMarx, Synk are integrated into the pipeline. DAST is a black-box test, where testing is carried out in a runtime environment and analyses the vulnerabilities encountered through external attacks. DAST is carried out in a QA environment. OWASP ZAP is integrated for this purpose. The following is an example of a secure CI and CD pipeline process:
Issue Tracking
To facilitate continuous monitoring and improvisation, tools like Jira, Bugzilla, and Mantis can be integrated into the CI and CD pipeline. This will enhance the visibility of the performance of the software. Integrating these tools enables complete tracking and simultaneous updating of the issues in the pipeline. The following diagram depicts the Zira integration to the CI and CD pipeline.
The goal of achieving an uninterrupted and impeccable release to production can be achieved by integrating various tools for testing, security, and issue tracking as a plugin into the Jenkins server. However, the tools integrated into the CI and CD pipeline can vary depending on needs.
Our experts are experienced in understanding and supporting the variations across requirements and use cases. If you want to learn more, then please get in touch with us here.