- Continuous integration (CI) pipeline runs build artifacts and leaves behind evidence about what happened during the creation of those artifacts.
- CI pipeline creates entries in the inventory about the artifacts that are created.
- Built artifacts in the inventory are promoted to deployment environments such as staging or pre-production.
- Change management automation uses data from the inventory, the evidence locker, and the promotion pull request to create the change request.
The change request management automation segment of the DevSecOps reference implementation helps your developers, approvers, and auditors monitor the compliance aspects of all code deployments. This solution helps to remove barriers between your development and compliance teams, and places more accountability on your development team for compliance readiness. Every deployment must follow the change management policy of your organization.
Everything that changes the baseline must be traced by the way of a change request. These changes include updates to the existing code level, changes to the configuration, and updates of the worker nodes. The DevSecOps reference implementation provides a standard format for evidence, and processes for evidence collection and durable storage. The inventory and evidence are collected as part of every CI pipeline run and are available in a standard format and at a defined location.
The continuous delivery (CD) pipeline generates all of the evidence and change request summary content. The pipeline deploys the build artifacts to a specific environment, such as staging or production, and then collects, creates, and uploads all existing log files, evidence, and artifacts to the evidence locker.
You can configure the change request to be automatically or manually approved. There is also a provision for emergency deployments.
I invite you to try the IBM Cloud reference implementation of DevSecOps today. Get started with the detailed tutorial or watch the videos about setting up CI and CD toolchain templates located on the IBM Cloud DevSecOps documentation page.
Additional resources