At The DEVOPS Conference, I presented on a topic that has been at the heart of my work for over two decades: how to architect for continuous delivery. This talk covers the broken value stream I see in most companies, why product thinking matters more than project thinking, the science behind software delivery performance, and how platform engineering enables organizations to scale DevOps through digital factories.
At the State of DevOps in Switzerland 2023 event, I joined Adrian Kosmaczewski from VSHN to present the latest findings on DevOps adoption in the Swiss market. Adrian shared four years of survey data, while I focused on how to successfully scale DevOps through platform engineering and the concept of the digital factory. This event brought together DevOps professionals both on-site and virtually for presentations and a lively panel discussion.
After eleven sessions building a full DevSecOps pipeline with GitHub — covering Software Composition Analysis, License Compliance, SAST, Container Scanning, Secret Detection, DAST, Pull Requests, Scheduled Pipelines, and Vulnerability Management — Patrick Steger and I close the series with our recommendations. What works on GitHub, where the gaps are, and what we would tell anyone setting out to build the same pipeline.
Across ten sessions we wired security checks into a GitHub Actions pipeline that fires on every commit and every Pull Request. That covers code we are actively changing. It does not cover the code that is already running in production while researchers keep finding new CVEs in the libraries it uses. In Part 11 of the GitHub DevSecOps series, Patrick Steger and I add a scheduled workflow that re-scans the production branch — and we run straight into a GitHub limitation worth knowing about up front.
In the previous nine sessions Patrick Steger and I built a GitHub DevSecOps pipeline with build, SCA, License Compliance, SAST, Container Scanning, Secret Detection and DAST. All useful — but only if it actually runs before code lands in main, and only if the merge is blocked when something serious shows up. In Part 10 we wire that gate together with Pull Requests and Branch Protection rules.
We have spent the previous eight sessions adding scanners to our GitHub DevSecOps pipeline — SCA, SAST, container scanning, secret detection, DAST. The scanners now produce a steady stream of findings, and the question is: where do we manage them? In Part 9, Patrick Steger and I look at GitHub’s built-in Vulnerability Management — the Security Tab — and call out what it does well and what is still missing.
Join Eveline Oehrlich and Romano Roth, to discuss whether DevOps is Dead.
Transcript # Narrator 00:02 You’re listening to the humans of DevOps podcast, a podcast focused on advancing the humans of DevOps through skills, knowledge, ideas, and learning, or the skil framework.
After seven sessions of static analysis — SCA, license compliance, SAST, container scanning, secret detection — Patrick Steger and I move into the dynamic side of the pipeline. In Part 8 we add Dynamic Application Security Testing to our GitHub Actions pipeline. DAST runs the application and then attacks it. GitHub does not ship this out of the box, so we wire in a community action built on OWASP ZAP — and we are honest about where that approach falls short for enterprise use.
On episode 88 of DevTalk I and Kerry W. Lothrop speak about the state of DevOps.
Original Post: DevTalk 88: Romano Roth
In today’s world, everybody wants to do DevOps. But why? What problems are we trying to solve?
Taking a Step Back # Together, we will take a step back and look at the bigger picture. Instead of jumping straight into tools and practices, we examine the systems and value streams that underpin modern software delivery.
API keys, tokens, and passwords still leak into repositories all the time — sometimes by accident, sometimes by a developer who genuinely did not know better. In Part 7 of our GitHub DevSecOps series, Patrick Steger and I switch on GitHub’s built-in Secret Scanning, add a custom pattern of our own, try out push protection, and look honestly at what the feature finds and where it falls short.
We have built up the GitHub Actions pipeline through five sessions: the project basics, software composition analysis, license compliance, and static application security testing. The next layer is container scanning — looking for vulnerabilities inside the Docker image we ship, not just in the source we wrote. In Part 6 of our series, Patrick Steger and I split the work into two GitHub Actions sub-workflows: one builds the image and pushes it to the registry, the other pulls it back and runs Trivy on it.
