Brainstorming on CICD Pipeline Design

What are the questions that I should be asking myself when I’m thinking about how to automate security in a CICD pipeline?

What about a CICD pipeline without thinking about security?

• What should CICD Pipelines do?
• What shouldn’t CICD Pipelines do?

These feel too general. These might be valuable to explore, but I think that making them more specific will be better.

The questions that I ask myself are important because they will determine the architecture of the pipeline. I feel like I’m starting to understand what 2 of my coworkers, Gil and Vishal, are talking about. If I start trying to design a CICD pipeline with an existing piece of automation, it’s not a good starting point. But if I start with the right principles in mind, building good ideas becomes easier.

Intro

I’m thinking about what the best way is to manage vulnerability scanning in the SDLC.

Sitting down and really thinking about this is a culmination of talking with coworkers about this for a while, and stuff that’s been happening at work.

Specifically, if the goal is to:

1. Provide developers vulnerability data as fast as possible
2. Provide developers vulnerability data in a FULLY automated manner

(Maybe as a bonus, we can also)