Welcome to the DevSecOps and CI/CD security guide. Browse through each section to discover various relevant resources to ensure security of your applications and infrastructure.

Welcome to 2023! The year of the Linux Desktop, the rise of AI, Software Bill of Materials (SBOM), DevOps is Dead, Platform Engineering is Alive, and a CNCF landscape that won’t be getting any simpler! Seriously, the technology and software sector is growing at a faster pace than any time I can ever recall. Where do we even begin? I hope you enjoy some predictions and trends that will become more and more evident in 2023.

Yesterday, GitHub changed how the archives they provided are made. The result of this change surprised developers, triggering pipeline failures all over the world in most ecosystems. According to this GitHub post, this is a consequence of recent changes to Git itself, released almost six months ago and just deployed within GitHub now with unforeseen impact. This change has thankfully been retracted.

Did you know that Google Search changes how it works about 12 times daily? For example, the internet search giant made about 4,500 changes to Search in 2020 alone. Those changes involved running more than 600,000 tests. Most of us can barely tell how often Google updates because the modifications are subtle. But we can tell that something keeps improving. Many other leading tech solutions do the same, from your tiniest mobile app to big ol’ Apple products.

A few months ago we introduced Repository Access Tokens which were the first of the new resource-based authentication methods we are introducing to Bitbucket Cloud. Repository Access Tokens enable a convenient, yet secure way to manage access for users to a specific repository. While repository access tokens enable you to allow you to control access at a granular level, they are not scalable.

Adopting Kubernetes has introduced several new complications on how to verify and validate all the manifests that describe your application. There are several tools out there for checking the syntax of manifests, scanning them for security issues, enforcing policies etc. But at the most basic case one of the major challenges is to actually understand what each change means for your application (and optionally approve/reject the pull request that contains that change).

On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we’ve learned, and what our plans are to continuously improve our security posture for the future.

Customers can now integrate Cloudsmith with Roadie, letting users monitor key Cloudsmith data within the Roadie developer portal. Cloudsmith has just announced an exciting new integration with Roadie, a start-up that provides SaaS for Backstage, a service catalog open-sourced by Spotify that automatically tracks your microservices. Organizations use Roadie to build a software catalog and developer portal for internal systems, centralizing information in one convenient location.

GitLab CI is a powerful tool for managing the software development and deployment process. It allows you to define and automate build, test, and deployment pipelines and provides features such as version control, collaboration, and continuous integration. However, while GitLab CI is an excellent tool for managing a single environment, it can have some limitations when it comes to managing multiple environments, especially dynamic environments.

Continuous delivery is a software development approach in which code changes are automatically staged for production release. A foundation for modern application development, continuous delivery extends continuous integration by automatically deploying code changes to test and production environments after the build phase. When properly implemented, developers have deployable build artifacts that have passed a standardized testing process and can be deployed to environments as needed.