Best practices in continuous integration toolchain
The implementation of continuous integration (CI) toolchain DevSecOps follows these practices.
- Runs a static code scanner on the application repositories to detect secrets in the application source code and vulnerable packages that are used as application dependencies.
- Builds a container image on every Git commit, setting a tag based on build number, timestamp, and commit ID for traceability.
- Tests the Dockerfile before the image creation.
- Stores the built image in a private image registry.
- Automatically configures access permissions for target cluster deployment by using API tokens to revoke.
- Scans the container image for security vulnerabilities.
- Adds a Docker signature upon successful completion.
- Automatically inserts the built-image tag into the deployment manifest.
- Uses an explicit namespace, in the cluster, to insulate each deployment (
kubectl delete namespacecommand). - Automatically builds, validates, and deploys any code that is merged into the target Git repository branch to the Kubernetes cluster.