Silence of the Lambs: Inspecting Source Code and Binaries in Continuous Delivery Pipelines

Speaker: Michael Huettermann @Huettermann

For more blog posts, see The Oracle Code One table of contents

---

General

• More than one solution.
• First “DevOps” book – Adam Smith – Wealth of Nations – talks about division of labor
• Holistic/shared goals/processes/tools
• Cycle time – across functions, create own definition

Pipelines/cycle time

• Start with value stream map
• Identify areas for improvements
• Every chain has a bottleneck.
• Consider theory of constraints. Fixing one bottleneck will expose another.
• Consider as doughnuts, not tubes. Want feedback.
• Glue together existing tools.
• Identify stages and quality gates
• Automate
• ex: continuous build, dev build, RC build, GA build
• “Pushing around binaries is a vintage approach” – should add context info

Many tools

• Binary repo (Nexus, Artifactory)
• Containerized infrastructure
• Cloud enabled setup
• Continuous Inspection (SonarQube for code, Twistlock for Docker)
• Supporting/cross cutting tools
• Middleware (Tomcat, JBoss)
• Functional monitoring (ELK)
• Automation engine: (Jenkins)

My take

The images were a good case study. While I would have rather have seen a live demo than a video, it was a video the speaker made so pretty equivalent. And he narrated it well.