ADR 004: CI/CD Quality Assurance
Status: Accepted | Date: 2025-03-10
Context
Ensure security and integrity of software artifacts that are consumed by infrastructure repositories per ADR 010. Threat actors exploit vulnerabilities in code, dependencies, container images, and exposed secrets.
Compliance Requirements:
Decision
CI/CD Pipeline Requirements
Pipeline Flow: Code Commit → Build & Test → Quality Assurance → Release
| Stage | Tools | Purpose | Mandatory |
|---|---|---|---|
| Build | Docker Bake | Multi-platform builds with SBOM/provenance | Yes |
| Scan | Trivy | Vulnerability scanning | Yes |
| Analysis | Semgrep | Static code analysis | Yes |
| Test | Playwright | End-to-end testing | Recommended |
| Performance | Grafana K6 | Load testing | Optional |
| API | Restish | API validation per ADR 003 | Optional |
Development Environment
- Use devcontainer-base for standardized tooling
- Use Justfiles for task automation
- Use GitHub Actions for CI/CD automation
CI/CD Pipeline:
Consequences
Without this approach: Vulnerable containers deployed, exposed secrets, compromised application integrity, and compliance violations.
With this approach: Secure, tested artifacts with automated vulnerability remediation and compliance alignment.