Open Source Summit Latin America 2022

CI/CD has become the core of all engineering organizations, particularly as engineering velocity increases, the number of services that are managed, deployed & updated constantly, & the diversity of 3rd-party applications our pipelines integrate with. That is why ensuring the security of our CI/CD pipeline is no longer “nice to have”, but a critical piece when delivering our software to production. In this talk we’d like to walk you through the process of building an end-to-end secure pipeline, and the gotchas to look out for when it comes to pipeline security - from misconfigurations in IaC & YAML, to overly permissive CPU limits, and even insecure tagging between dev & prod. We’ll take a deep dive on how we secure our code & configuration, the pipeline itself & its integrations (SBOM), our K8s deployments, and ensure that we have continuous visibility with the right monitoring controls in place. All this will be demoed as code with a tried & true open source stack––from VSCode to Helm for the code & config, to Jenkins & CircleCI for the pipelines, best practices for deployment security, and how to bake in good observability with Prometheus & Lens. We’ll wrap up with some recommended extensions to help secure our pipelines by design, without changing our deployment structure.