I'm working with Azure DevOps and I'm curious about how to enforce specific steps, like CVE scanning, across all build pipelines in my organization. Is there a way to set up a policy as code to ensure these rules are consistently applied? Would love to hear any tips or practices you all use!
5 Answers
I advocate for a 'safe by design' approach. For instance, using vulnerability-free base images from the start can save a lot of hassle later. It’s a game-changer when you get the right tools like Echo to streamline the process.
One effective strategy is using templated pipelines. Instead of teams creating their own pipelines from scratch, they can reference a central template that includes all required steps. This way, the only pathway to production is via the templated pipeline, ensuring compliance with necessary processes.
In Azure DevOps, you can implement mandatory steps by creating your own ADO extension and publishing it to your organization, known as a pipeline decorator. This prevents others from disabling essential steps easily. If you're using GitHub, it’s even simpler with the Required Workflow feature.
Agreeing with the previous mention of pipeline templates! Also, combining that approach with Branch Protection policies could really help. Check out the Status Checks section in Azure DevOps documentation for more on that.
Consider adopting Policy as Code tools like Open Policy Agent (OPA). These tools can enforce compliance rules across your pipelines and automatically check for processes like mandatory CVE scans before allowing builds to proceed, adding an extra layer of governance.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures