Friday, March 25, 2022
HomeCloud ComputingWhat DevSecOps Means for Your CI/CD Pipeline

What DevSecOps Means for Your CI/CD Pipeline

The CI/CD (Steady Integration/Steady Deployment) pipeline is a significant ingredient of the DevOps recipe. As a DevSecOps practitioner, it is advisable contemplate the safety implications for this pipeline. On this article, we’ll look at key objects to consider on the subject of DevSecOps and CI/CD.

The kind of CI/CD pipeline you select—whether or not it’s managed, open supply, or a bespoke answer that you simply construct in-house—will affect whether or not sure safety features can be found to you out of the field, or require targeted consideration to implement.

Let’s dive in

Secret administration on your CI/CD pipeline

Your CI/CD pipeline has the keys to the dominion: it could provision infrastructure and deploy workloads throughout your system. From a safety perspective, the CI/CD pipeline ought to be the one solution to carry out these actions. To handle your infrastructure, the CI/CD pipeline wants the credentials to entry cloud service APIs, databases, service accounts, and extra—and these credentials must be safe.

Gigi DevSecOps CI/CD

Managed or hosted CI/CD pipelines present a safe solution to retailer these secrets and techniques. If you happen to construct your CI/CD answer, you then’re accountable for making certain secrets and techniques are saved securely. CI/CD secrets and techniques ought to be encrypted at relaxation and solely decrypted in reminiscence, when the CI/CD pipeline wants to make use of them.

You need to tightly lock down entry to the configuration of your CI/CD pipeline. If each engineer can entry these secrets and techniques, then the potential for leaks is large. Keep away from the temptation to let engineers debug and troubleshoot points by utilizing CI/CD credentials.

Some secrets and techniques (for instance, entry tokens) must be refreshed periodically. CI/CD pipelines typically use static secrets and techniques—which have for much longer lifetimes, and so don’t want common refreshing—to keep away from the complexities of refreshing tokens.

Injecting secrets and techniques into workloads

Cloud workloads themselves additionally use secrets and techniques and credentials to entry different assets and providers that their performance depends upon. These secrets and techniques might be offered in a number of methods. If you happen to deploy your system as packages utilizing VM photographs or containers, then you’ll be able to bake the secrets and techniques instantly into the picture, making them obtainable in a file when the workload runs.

One other strategy is to encrypt the secrets and techniques and retailer them in supply management. Then, inject the decryption key into the workload, which may subsequently fetch, decrypt, and use the secrets and techniques.

Kubernetes permits for secrets and techniques which can be managed exterior of the workload picture however uncovered as an setting variable or a file. One good thing about secrets and techniques as information is that secret rotation doesn’t require re-deploying the workload.

Infrastructure as code: a safety perspective

Infrastructure as code will not be solely an operational finest follow; additionally it is a safety finest follow. 

software program methods = infrastructure + workloads

When advert hoc modifications are made to infrastructure configurations, this drift can introduce safety dangers. When assets are provisioned with none auditing or governance, it turns into troublesome to take care of correct safety measures throughout all assets.

Handle your infrastructure identical to you handle your code. Use declarative configurations (like these of Terraform, AWS CloudFormation, or Kubernetes CRDs). Evaluate and audit each change.

Carry your personal safety instruments

CI/CD pipelines are versatile. Usually talking, they allow you to execute a sequence of steps and handle artifacts. The steps themselves are as much as you. As a safety engineer, you need to make the most of the safety instruments that exist already in your setting (particularly within the cloud). For instance, GitHub and GitLab each scan your commits for the presence of secrets and techniques or credentials. Some managed CI/CD options construct in API scanning or software safety scans. Nonetheless, you might also favor so as to add instruments and checks into the combo.

You possibly can additionally add static code evaluation (like SonarQube) to make sure that code adheres to conventions and finest practices. As one other instance, you mayincorporate vulnerability scanning (like Trivy or Grype) to your CI/CD pipeline, checking container photographs or third-party dependencies for safety flaws.

Gigi DevSecOps CI/CD

Complete detection and response

Utility observability, monitoring, and alerting are basic DevOps Day 2 issues. Though your CI/CD pipeline will not be instantly concerned in these actions, you need to use your CI/CD pipeline to deploy the safety instruments you employ for these functions. From the viewpoint of the CI/CD pipeline, these are simply further workloads to be deployed and configured.

Your CI/CD pipeline ought to embody early detection of safety points that set off on each change that impacts workloads or infrastructure. As soon as modifications are deployed, it is advisable run periodic checks and reply to occasions that occur post-deployment.

In case of defective CI/CD, break glass

The CI/CD pipeline is a important a part of your system. In case your CI/CD is damaged or compromised, your software might proceed to run, however you lose the power to make protected modifications. Massive scale functions require fixed updates and modifications. If a safety breach happens, you want to have the ability to shut down and isolate elements of your software safely.

To take action, your CI/CD pipeline have to be extremely obtainable and deployed securely. Every time it is advisable replace, rollback, or redeploy your software, you rely in your CI/CD pipeline.

What do you have to do in case your CI/CD pipeline is damaged? Put together prematurely for such a case, figuring out how your group and system will preserve working (at lowered capability most certainly) till you’ll be able to repair your CI/CD pipeline. For sophisticated methods, you need to have runbooks. Take a look at how you’ll function when the CI/CD is down or compromised.


The CI/CD pipeline is on the core of the DevOps course of. When including safety into the combo, you want to concentrate on the implications, paying shut consideration to the safety of the CI/CD pipeline itself, in addition to the secrets and techniques and artifacts it consumes and produces. The safety features best suited to you can be those that match the kind of CI/CD pipeline you’ve chosen. As soon as you recognize the important thing areas to think about on the subject of DevSecOps and CI/CD, you can also make that tailor-made choice with confidence.


Dive deep into CI/CD pipelines on the Cisco Developer weblog after which discover DevNet’s CI/CD Sandbox.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments