Overview
IBM DevOps Loop
IBM DevOps Loop is a comprehensive solution designed to streamline and accelerate the entire software delivery lifecycle, from planning and development to testing and deployment. It empowers teams to collaborate more effectively by automating repetitive tasks, integrating toolchains, and providing real-time visibility into workflows. With features such as agile planning, automated testing, continuous integration and delivery (CI/CD), release orchestration, and intelligent change risk analytics, IBM DevOps Loop helps organizations improve software quality, reduce deployment risks, and deliver value to customers faster and more reliably.
IBM Concert
IBM Concert is an AI-powered decision automation platform that helps enterprises align strategy with execution. Designed to break down silos across business, development, and operations teams, IBM Concert provides a unified workspace where teams can plan, track, and manage outcomes collaboratively. By integrating data from various tools and systems, and applying AI to surface insights and recommend actions, it enables organizations to make faster, more informed decisions. With features like outcome-driven planning, real-time status tracking, and intelligent automation, IBM Concert enhances visibility, accountability, and agility across the entire organization.
Value of integration IBM Concert and IBM DevOps Loop
The integration between IBM Concert and IBM DevOps Loop plays a critical role in connecting strategic intent with operational execution. By linking AI-driven decision-making with automated delivery processes, organizations can improve responsiveness, transparency, and overall software quality.
One key benefit of this integration is the ability for IBM DevOps Loop to trigger security tests during the software delivery lifecycle and automatically upload the results into IBM Concert. This ensures that risk-related data—such as vulnerabilities or compliance issues—is surfaced in the same environment where business outcomes are planned and tracked. As a result, stakeholders across security, development, and business teams gain real-time visibility into potential risks, enabling faster and more informed decision-making without the need for manual data consolidation.
Another important value is IBM Concert’s ability to automatically raise work items in DevOps Loop using its built-in workflows. When a risk from security test is detected, Concert can initiate follow-up actions by creating tickets directly in the DevOps toolchain as Defect management data. This tight integration shortens response times, ensures accountability, and keeps operational teams aligned with evolving business priorities. The tickets can create automatically according to rule defined, to manually.
Together, these capabilities reinforce a continuous flow between planning and execution, allowing organizations to drive agility, reduce risk, and maintain a clear line of sight from strategy to delivery.
Work through solutions
part 1: Integrate security tests as part of development lifecycle
IBM DevOps Loop can execute security test in DevOps Loop Test UI, and uploaded the results into IBM Concert.
Execute security test
There are different ways to execute security tests in IBM DevOps Loop.
1. execute DevOps Loop built-in security test tool -- AppScan.
HCL AppScan is a security testing tool that helps identify and remediate vulnerabilities in web and mobile applications. It supports static, dynamic, and interactive testing to ensure secure code throughout the development lifecycle. This is a new feature, which will be released soon.
2. execute third-party security test tool in DevOps Loop Test module
Third-party security testing tools can be wrapped as an API type test script and executed by DevOps Loop Test. In this demo, we used Trivy for image scanning test and SAST source code scanning.The demonstration project is: https://github.ibm.com/fanhu/concert-testing-demo You can use this project directly or use it as template to customize.
Password can be saved in "Secrets", and other parameters can be passed in plain text as "Variables"
3. execute third-party security test as a part of CI/CD
We can directly run the third-party security testing tools in CI/CD pipeline. This is an approach having better control. However, if you only consider testing in CI/CD, you can consider this approach; or the DevOps Loop Test is still the recommended approach, because it give your the visibility across the whole team.
Upload results
When IBM DevOps Loop execute a security test, it can upload the results to IBM Concerts displayed as CVEs in the appropriate project(s), using the REST API of Concert.
part 2: Raise ticket to defect management automatically
Once we got the CVEs in Concert, we can manually or automatically raise a ticket in DevOps Loop Defect management UI.
To do it automatically, you need a Automation Rule firstly.
You can configure the rule to call a workflow, when there is a CVE detected (uploaded by DevOps Loop), in the scope of an Application.
These below are the parameters passed to Workflow.
You also can "filter" the CVEs and only handle the critical security issues, and raise tickets for them.
This is the Workflow looks like. You can use it or customize your own integration.
when a security test found and uploaded something, you will see the upload event in administration -> events:
A workflow will be triggered if the security level meet the filter (in this demo it's 1.1 "risk score"), a workflow will be triggered. You can see the log in "Workflows->History"
So you will able to see the second event:
In the IBM DevOps Loop side, you need to have an application as Defect Management type (you can use other types, but some workflows steps need be modified). In the "Defect Kanban", you will be able to see the new tickets with state as "Submitted":
Demo video
More articles to read
Real-time governance for secure, risk-aware delivery with IBM DevOps Loop + IBM Concert (by Cassidy Rimer)