Profile Applicability:
Level 1
Description:
Each continuous integration/continuous deployment (CI/CD) pipeline should be designed to perform a single, well-defined task or responsibility, such as building code, running tests, or deploying artifacts. This separation of concerns simplifies maintenance, improves reliability, and reduces the risk of errors or security issues spreading across multiple functions.
Rationale:
Assigning a single responsibility to each pipeline enhances clarity, traceability, and fault isolation. It makes debugging easier, enables more granular access controls, and supports best practices in pipeline design and security.
Impact:
Pros:
Improves pipeline maintainability and clarity.
Facilitates faster troubleshooting and incident response.
Enhances security by limiting scope of pipeline actions.
Supports modular and scalable CI/CD architecture.
Cons:
May increase the number of pipelines to manage.
Requires careful orchestration to coordinate multiple pipelines.
Default value:
Some CI/CD setups combine multiple responsibilities into single pipelines, complicating management and increasing risk.
Audit:
Review pipeline definitions and documentation to ensure each pipeline focuses on a single task. Verify adherence through pipeline execution logs and design reviews.
Remediation:
Refactor complex pipelines into smaller, focused units. Implement orchestration tools to manage pipeline dependencies. Train DevOps teams on single responsibility principles.
References:
Continuous Delivery Best Practices: https://martinfowler.com/articles/continuousDelivery.html
DevOps Pipeline Design Principles: https://www.redhat.com/en/topics/devops/what-is-a-ci-cd-pipeline
CIS Controls v8, Control 16 - Application Software Security: https://www.cisecurity.org/controls/application-software-security/