[2019 oracle code one] inspecting in CD pipelines

Silence of the Lambs: Inspecting Source Code and Binaries in Continuous Delivery Pipelines

Speaker: Michael Huettermann @Huettermann

For more blog posts, see The Oracle Code One table of contents



General

  • More than one solution.
  • First “DevOps” book – Adam Smith – Wealth of Nations – talks about division of labor
  • Holistic/shared goals/processes/tools
  • Cycle time – across functions, create own definition

Pipelines/cycle time

  • Start with value stream map
  • Identify areas for improvements
  • Every chain has a bottleneck.
  • Consider theory of constraints. Fixing one bottleneck will expose another.
  • Consider as doughnuts, not tubes. Want feedback.
  • Glue together existing tools.
  • Identify stages and quality gates
  • Automate
  • ex: continuous build, dev build, RC build, GA build
  • “Pushing around binaries is a vintage approach” – should add context info

Many tools

  • Binary repo (Nexus, Artifactory)
  • Containerized infrastructure
  • Cloud enabled setup
  • Continuous Inspection (SonarQube for code, Twistlock for Docker)
  • Supporting/cross cutting tools
  • Middleware (Tomcat, JBoss)
  • Functional monitoring (ELK)
  • Automation engine: (Jenkins)

My take

The images were a good case study. While I would have rather have seen a live demo than a video, it was a video the speaker made so pretty equivalent. And he narrated it well.