SCA covered our dependencies. License compliance covered what we are allowed to ship. SAST is where we point the scanners at the code we wrote ourselves. In Part 5 of our GitHub DevSecOps series, Patrick Steger and I add Static Application Security Testing to the pipeline — and find out the hard way that on GitHub it takes three Actions, not one.
GitHub does not ship a license scanner out of the box, and when we went looking in the marketplace, none of the existing actions did what we needed. So we built our own with a colleague from Microsoft and published it. In Part 4 of our GitHub DevSecOps series, Patrick Steger and I plug that License Finder action into our Spring Boot pipeline, configure which licenses are acceptable, and show how to surface the results inside GitHub.
GitHub does not ship a default SCA tool the way GitLab does. You have to combine two things: a platform feature called Dependabot and an SCA action from the Marketplace. In Part 3 of the GitHub DevSecOps series, Patrick Steger and I wire both into our pipeline — and find out the hard way that the Marketplace path is not as smooth as the slides suggest.
Before we plug security tools into anything, we need a repository, a pipeline, and a working build. In Part 2 of our GitHub DevSecOps series, Patrick Steger and I create a private GitHub repo for a small Java Spring Boot service, enable GitHub Actions, and wire up a two-workflow pipeline that compiles the code and runs the unit tests. This is the skeleton everything else in the series hangs on.
The internet is full of posts claiming that DevOps is dead. “DevOps is bullshit.” “Platform Engineering will replace DevOps.” “SRE is the future.” In this video, I explain why all of these claims are wrong, where they come from, and how DevOps, Platform Engineering, and Site Reliability Engineering actually relate to each other.
Romano Roth is Chief of DevOps at Zühlke. In this interview, he explains why DevOps is not bullshit, how transformation succeeds in companies, and what IT students really need to learn.
At this event, I spoke alongside Carsten Brandt from SAP about DevOps in theory and practice. While I presented the theoretical foundations of DevOps and showed how companies can move from projects to products, Carsten brought the practical perspective from over 21 years at SAP. His honest message: the theory has been well established for years, but execution is anything but easy, especially in complex enterprise landscapes.
By Pia Wiedermayer and Romano Roth
In many organizations and projects, software development involves numerous employees and machines performing tasks separately. This approach results in problems. Here’s how going back to the original way of developing software and building an organic digital factory can help.
After we finished the GitLab DevSecOps series, Patrick changed jobs — and his new team is on GitHub. The problem is the same: no security checks during development. The platform is different. In Part 1 of our GitHub DevSecOps series, we cover what GitHub is, the CI/CD vocabulary you have to share before any pipeline conversation works, and the shape of the DevSecOps pipeline we will build over the next sessions.
DevOps trends 2023
We quickly review my projections for 2021 and 2022 before moving on to the difficulties businesses are already facing. Due to silo organizations, there is almost no coordination between the various organizational divisions, and businesses continue to plan annual projects rather than products. Hence, businesses must adopt some DevOps methods or trends. DevOps is a mindset, culture with technical practices that align all people across the value stream to continuously deliver value to the customer. The top DevOps trends for 2023 include building products, running the product, ensuring product quality, monitoring the product, organizing across the value stream, enabling DevOps in product teams, and industrializing the whole product development.
Two years of trend predictions later, the DevOps conversation has shifted. In 2021 we talked about adoption. In 2022 we mapped trends onto the adoption lifecycle. In 2023 the most useful lens is the value stream: how products get built, run, quality-assured, monitored, organised, enabled and industrialised end-to-end. Most organisations still suffer from silos and project-based annual planning. The 2023 trends are about closing those gaps.
What defines high-quality work in software engineering? Is it Scrum? Clean Code? TDD? Functional programming? In this Expert Talks session, my colleague Milan and I present two complementary perspectives. Milan covers the pillars of high-quality engineering work, from team building and customer centricity to clean code and engineering culture. I then show how DevOps and continuous delivery help build great products by moving from a project mindset to a product mindset.
