API keys, tokens, and passwords still leak into repositories all the time — sometimes by accident, sometimes by a developer who genuinely did not know better. In Part 7 of our GitHub DevSecOps series, Patrick Steger and I switch on GitHub’s built-in Secret Scanning, add a custom pattern of our own, try out push protection, and look honestly at what the feature finds and where it falls short.
We have built up the GitHub Actions pipeline through five sessions: the project basics, software composition analysis, license compliance, and static application security testing. The next layer is container scanning — looking for vulnerabilities inside the Docker image we ship, not just in the source we wrote. In Part 6 of our series, Patrick Steger and I split the work into two GitHub Actions sub-workflows: one builds the image and pushes it to the registry, the other pulls it back and runs Trivy on it.
SCA covered our dependencies. License compliance covered what we are allowed to ship. SAST is where we point the scanners at the code we wrote ourselves. In Part 5 of our GitHub DevSecOps series, Patrick Steger and I add Static Application Security Testing to the pipeline — and find out the hard way that on GitHub it takes three Actions, not one.
GitHub does not ship a license scanner out of the box, and when we went looking in the marketplace, none of the existing actions did what we needed. So we built our own with a colleague from Microsoft and published it. In Part 4 of our GitHub DevSecOps series, Patrick Steger and I plug that License Finder action into our Spring Boot pipeline, configure which licenses are acceptable, and show how to surface the results inside GitHub.
GitHub does not ship a default SCA tool the way GitLab does. You have to combine two things: a platform feature called Dependabot and an SCA action from the Marketplace. In Part 3 of the GitHub DevSecOps series, Patrick Steger and I wire both into our pipeline — and find out the hard way that the Marketplace path is not as smooth as the slides suggest.
Before we plug security tools into anything, we need a repository, a pipeline, and a working build. In Part 2 of our GitHub DevSecOps series, Patrick Steger and I create a private GitHub repo for a small Java Spring Boot service, enable GitHub Actions, and wire up a two-workflow pipeline that compiles the code and runs the unit tests. This is the skeleton everything else in the series hangs on.
The internet is full of posts claiming that DevOps is dead. “DevOps is bullshit.” “Platform Engineering will replace DevOps.” “SRE is the future.” In this video, I explain why all of these claims are wrong, where they come from, and how DevOps, Platform Engineering, and Site Reliability Engineering actually relate to each other.
Romano Roth is Chief of DevOps at Zühlke. In this interview, he explains why DevOps is not bullshit, how transformation succeeds in companies, and what IT students really need to learn.
At this event, I spoke alongside Carsten Brandt from SAP about DevOps in theory and practice. While I presented the theoretical foundations of DevOps and showed how companies can move from projects to products, Carsten brought the practical perspective from over 21 years at SAP. His honest message: the theory has been well established for years, but execution is anything but easy, especially in complex enterprise landscapes.
By Pia Wiedermayer and Romano Roth
In many organizations and projects, software development involves numerous employees and machines performing tasks separately. This approach results in problems. Here’s how going back to the original way of developing software and building an organic digital factory can help.
After we finished the GitLab DevSecOps series, Patrick changed jobs — and his new team is on GitHub. The problem is the same: no security checks during development. The platform is different. In Part 1 of our GitHub DevSecOps series, we cover what GitHub is, the CI/CD vocabulary you have to share before any pipeline conversation works, and the shape of the DevSecOps pipeline we will build over the next sessions.
DevOps trends 2023
We quickly review my projections for 2021 and 2022 before moving on to the difficulties businesses are already facing. Due to silo organizations, there is almost no coordination between the various organizational divisions, and businesses continue to plan annual projects rather than products. Hence, businesses must adopt some DevOps methods or trends. DevOps is a mindset, culture with technical practices that align all people across the value stream to continuously deliver value to the customer. The top DevOps trends for 2023 include building products, running the product, ensuring product quality, monitoring the product, organizing across the value stream, enabling DevOps in product teams, and industrializing the whole product development.
