ADR 004: CI/CD Quality Assurance
Status: Accepted | Date: 2025-03-10
Context
Ensure security and integrity of software artifacts that are consumed by infrastructure repositories per ADR 010. Threat actors exploit vulnerabilities in code, dependencies, container images, and exposed secrets.
Compliance Requirements:
Decision
CI/CD Pipeline Requirements
Pipeline Flow: Code Commit → Build & Test → Quality Assurance → Release
| Stage | Tools | Purpose | Mandatory |
|---|---|---|---|
| Build | Railpack and Docker Bake | Multi-platform builds with SBOM/provenance | Yes |
| Scan | scc and Trivy | Complexity and Vulnerability scanning | Yes |
| Analysis | Semgrep | Static code analysis | Yes |
| Test | Playwright | End-to-end testing | Recommended |
| Performance | Grafana K6 | Load testing | Optional |
| API | Restish | API validation per ADR 003 | Optional |
Development Environment
- Use devcontainer-base for standardized tooling
- Use Railpack and Docker Bake to define and standardise build processes
- Use Justfiles for task automation
- Use GitHub Actions for CI/CD automation
CI/CD Pipeline:
Consequences
Benefits:
- Automated security scanning and vulnerability remediation
- Standardised artifact integrity and compliance alignment
- Consistent deployment pipelines with audit trails
Risks if not implemented:
- Vulnerable containers deployed to production
- Exposed secrets in application artifacts
- Manual security processes prone to human error
- Compliance violations and audit failures