Example Java Pipeline
Description of the illustration cicd-process-pipeline.png
The Pipeline Orchestrator drives the pipeline process in this Java pipeline example illustrated using some commonly used tools. The following are the steps in the process:
- Change Code
Performs basic Git checks for credentials using Static Application Security Testing (SAST) and initiates the pipeline. Uses the Gitflow approach to handle the code repository based on how the code is structured using tools such as GitLab or GithHub. The code can be structured to have version branching, merging, and releasing to control source changes. The code maps to environments such as development, test, preproduction, and production. Commits into the different parts of the repository trigger Sast actions.
- For example, GitHub incorporates static security scanning to look for patterns that will recognize passwords and tokens within the code and configuration files.
- Build Code
Generates a JAR/WAR/EAR and pulls in required dependencies. You can use tools such as Java Apache Maven to compile and create the JAR (or related deployable archive files) and sign the artifact.
- Manage Third-Party Dependencies: Manages code dependencies and third-party libraries using tools such as Snyk. Synk checks and ensures dependencies are correct, from an accepted source, and searches for malicious content. It retrieves, inspects, approves, and stores external dependency artifacts. Managing third-party dependencies allows you to locally store our dependencies using tools like Archiva, Nexus OSS, and so on. You can also control dependencies to ensure they have trusted origins. This can ensure that the dependency hasn't been compromised with malicious content using tools such as Snyk, Nexus, or scanOS.
- Check for Quality and Compliance
Scan for OWASP Top 10 issues and check compliance to coding standards using tools such as Sonarcube or Lint.
- Perform Unit Testing
Perform unit testing and captures code coverage data using JACOCO and JUnit. JACOCO provides the coverage collection such as looks for which lines of code were executed and how much of the code was tested in a statistical manner. JUnit executes the unit tests. You can choose to expand the description if you think it helps.
- Perform API Testing
Tests the APIs with mock up data and test clients using tools such as Dredd, Apiary, or Swagger Hub.
- Test Components and UX
Test black box components and any UI elements. Measures performance to ensure there are no basic issues. Collects test coverage metrics using tools such as Selenium and JMeter. JMeter performs user experience and performance testing and tests the user workflows. Selenium drives the exercising of user interface elements.
- Test Security
Test code for vulnerabilities such as, how it handles illegal API calls, excess payloads, injection attacks and so on using Zap. Perform security testing by checking for redundant code and prepared SQL statements.
- Package for Deployment
Package the solution as a container, validate packaging, and check for container issues and best practices using tools such as Docker Snyk.
- Generate Documentation
Generate useful documentation and make it available for consumption. Sign artefacts using tools like Pandoc or Doxygen. Pandoc pushes the project to the next stage and adds it to the trusted store such as a registry to use in the next phase.
If any of these steps fail or the process identifies too many warnings, the build fails. Builds can fail at any point in the process and prevent the subsequent steps to continue. A failed build prevents any automated code promotion that was configured. You can use some of the recommended tools for builds with multiple phases to support the execution of tests at each phase. For example, system-level tests may use API test tools to interact with the system as an external service rather than simulating the actions of another component within the enterprise solution.