INTEGRATION.md

September 2, 2023 ยท View on GitHub

The Software Supply Chain Stages

PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud
DevelopersIDELanguagesSCM providersBuild solutionsServersEmbedded PCURLSaaS solutionsCDN
QA teamSCVFrameworksPull requestsDeployment platformsOperating systemsPCBhostnameThird party APIsCloud services
DevOps teamLocal testsLibrariesSecrets mgmtReleasesWebserversUSB donglePayment gateways
Package MaintainersGit reposPackage ManagersGit reposFunctional testsApplication serversGPU/CPUIdentity Providers
Page BuildersPackagesSecurity testsWeb enginesAnalytics
Open sourceAPI test frameworksDatabasesProxies
Proprietary CodeUnit tests
PeopleLocal ReqsSource CodeIntegrationDeploymentRuntimeHardwareDNSServicesCloud

Continuous Integration

Continuous integration (CI) is the process of automatically integrating code changes from multiple contributors into a single software project. This is an important DevOps best practice that enables developers to frequently merge code changes into a central repository for testing before deployment. Automated tools are used to check that the new code is correct before integration.

What's in scope?

  • SCM providers
  • Pull requests

Examples

SCM Providers

Who owns it?

  • Engineering leadership
  • DevOps team

What are the security concerns?

  • Teams are moving fast, and interating quickly. It's important that we address security at the speed of iteration
  • Use automated security controls to make sure that code is always promoted using guardrails
  • Verify developers are who they say they are
  • User roles define access

How do I secure it?

  • Git commit signing
  • SSH keys for SCM provider
  • Pull requests
  • Branch protection
  • Permissions based SCM roles
  • MFA for SCM provider