Integrate Compliance and Quality into Your DevOps Pipeline

| February 20, 2018 | 0 Comments

Continuous Delivery is about enabling your organization to bring new features to production, one by one, quickly and reliably. To do so effectively while maintaining a high level of quality, you have to embed code analysis in the CD pipeline. Making code analysis an integral part of your Continuous Delivery process strengthens the test automation section of your CD pipeline and ensures that release managers have an accurate view of the risks the code may introduce.

Embedded code analysis is also crucial for meeting the compliance requirements that are important for your organization. Code can be analyzed for security, open source licensing, adherence to coding standards, and various other quality metrics. When code analysis is baked into the software release process, you can be confident that the evidence you need for auditing purposes is collected and recorded automatically.

With XL Release 7.6, you can see risk and quality metrics in the dashboard for every release. In addition, you can add code analysis tasks to the release pipeline through integrations with third-party products and configure the tasks to fail if the code does not meet quality thresholds.

XL Release 7.6 adds the following integrations:

Black Duck

Black Duck is a trusted tool for securing and managing open source software in applications and containers. Integration with Black Duck makes it easy for you to verify as a standard step in your templates and releases that the open source software you use in your applications and containers is secure.

Black Duck Compliance

Using XL Release and Black Duck allows you to embed code risk analysis in your Continuous Delivery pipelines. You can automatically check code against various types of risk, such as license, security, and operational risks.

The Black Duck plugin allows you to add Check Compliance tasks to templates and releases and configure them with a threshold for various risks to indicate severity.

You can also add a Black Duck risk profile tile to release dashboards and configure it to show risk metrics for a given project in a graphical way, so you can assess code risk in real-time at a glance.

Black Duck Risk Profile Tiles

Fortify Software Security Center (SSC)

Fortify Software Security Center provides centralized management of application security testing. Security teams use SSC to review and manage security testing activities, prioritize remediation efforts based on risk potential, measure improvements, and generate cross-portfolio management reports.

Fortify SSC Check Compliance

XL Release and Fortify SSC can evaluate code against the security metrics that are most important for your organization.

The Fortify SSC plugin allows you to add Check Compliance tasks to templates and releases and configure them with the minimum rating required for the release, according to the Fortify Five Star Assessment Rating.

You can also add a Fortify SSC Summary tile to release dashboards and configure it to show security metrics for a given project.

Fortify SSC Summary

SonarQube

SonarQube is an open source platform for continuous inspection of code quality. Teams use it to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities in application source code.

SonarQube Quality Gate

Using XL Release and SonarQube to integrate code analysis into your Continuous Delivery pipelines strengthens test automation and ensures that code adheres to your organization’s coding standards.

The SonarQube plugin allows you to add Check Compliance tasks to templates and releases and configure them with SonarQube quality gates.

You can also add a SonarQube summary tile to release dashboards and configure it to show code quality metrics for a given project.

SonarQube Summary

The Result: Better Software for All

Integrating compliance and quality into your DevOps pipeline is crucial for any organization to deliver quality software consistently, and XL Release can help you achieve just that with ease.

Related Resources


Kapil Malhotra

About the Author ()

Kapil Malhotra is Product Manager of Integrations for XL products. He is a technologist with 12 years experience in the software industry and expertise in DevOps and Agile methodologies. Prior to becoming a Product Manager, he was a scrum master and involved in application design and development.