FOSSA Logo
C
DevOps
Automation
Tools

CI/CD (Continuous Integration / Continuous Deployment)

A set of practices and tools that automate the process of building, testing, and deploying software, enabling frequent and reliable software delivery.

What is CI/CD?

CI/CD (Continuous Integration/Continuous Deployment) is a set of practices, principles, and tools that automate the process of building, testing, and deploying software. It forms the backbone of modern DevOps practices, enabling organizations to deliver software updates more frequently, reliably, and securely.

The CI/CD pipeline is a key element of the software supply chain, serving as the automated assembly line that transforms source code into deployable software.

Components of CI/CD

Continuous Integration (CI)

Continuous Integration is the practice of frequently merging code changes into a shared repository, followed by automated building and testing. The main goals of CI are to:

  • Detect integration problems early
  • Ensure code quality through automated testing
  • Provide rapid feedback to developers
  • Maintain a consistently buildable codebase

CI typically includes these steps:

  1. Code commit triggers an automated build
  2. Compilation and static code analysis
  3. Unit and integration testing
  4. Security scanning
  5. Reporting build status and test results

Continuous Delivery (CD)

Continuous Delivery extends CI by automatically preparing code changes for release to production. It ensures that:

  • Software is always in a releasable state
  • Deployments are standardized and reliable
  • Release decisions are business-driven rather than technical

CD typically includes:

  1. Packaging artifacts for deployment
  2. Deploying to staging environments
  3. Running acceptance and performance tests
  4. Preparing for manual approval before production deployment

Continuous Deployment

Continuous Deployment goes one step further by automatically deploying all changes that pass through the pipeline to production, without human intervention. This approach:

  • Eliminates manual deployment processes
  • Enables multiple production deployments per day
  • Provides immediate user feedback on changes

CI/CD in Software Supply Chain Security

CI/CD pipelines are critical elements of the software supply chain and important considerations for security:

Security Benefits

  • Consistent Builds: Standardized build processes reduce variability and security risks
  • Automated Security Checks: Integration of security scanning tools (SAST, DAST, SCA)
  • Reproducibility: Well-designed CI/CD enables reproducible builds
  • Auditability: Pipeline logs provide a record of how artifacts were created
  • Reduced Human Error: Automation eliminates manual mistakes in deployment

Security Risks

  • Privileged Access: CI/CD systems often have extensive access to sensitive resources
  • Pipeline Tampering: Unauthorized changes to pipeline configurations
  • Credential Leakage: Exposure of secrets used in builds and deployments
  • Dependency Attacks: Compromised dependencies in the build process
  • Infrastructure Vulnerabilities: Insecure CI/CD infrastructure configuration

Cloud-based CI/CD Services

  • GitHub Actions: Integrated CI/CD for GitHub repositories
  • GitLab CI/CD: Built into the GitLab platform
  • CircleCI: Cloud-native CI/CD platform
  • Travis CI: CI service integrated with GitHub
  • AWS CodePipeline: AWS native CI/CD service
  • Azure DevOps Pipelines: Microsoft's cloud-based CI/CD service

Self-hosted CI/CD Platforms

  • Jenkins: The most widely used open-source automation server
  • TeamCity: JetBrains' CI/CD server
  • Bamboo: Atlassian's CI/CD server
  • GoCD: ThoughtWorks' continuous delivery server
  • Tekton: Cloud-native CI/CD framework for Kubernetes
  • Drone: Container-native CI/CD platform

CI/CD Best Practices for Supply Chain Security

  1. Pipeline as Code: Define CI/CD pipelines as code and store in version control
  2. Immutable Artifacts: Create immutable artifacts that are not modified after building
  3. Artifact Signing: Cryptographically sign build artifacts to verify authenticity
  4. Provenance Generation: Record metadata about how artifacts were created
  5. Secure Credential Management: Use vault services for secrets rather than hardcoding
  6. Least Privilege: Run CI/CD jobs with minimal required permissions
  7. Ephemeral Build Environments: Use clean environments for each build
  8. Dependency Verification: Validate dependencies before incorporating them
  9. Automated Security Testing: Include security scans as mandatory pipeline stages
  10. SBOM Generation: Automatically generate Software Bills of Materials for artifacts

Related Terms

Artifact

A file or package produced by the build process, such as an executable, container image, library, or other deployable component.

Build System

Software that automates the process of converting source code into executable applications, handling compilation, linking, packaging, and other build tasks.

Software Supply Chain

The full lifecycle and pipeline involved in developing, building, packaging, distributing, and deploying software—including dependencies, tools, infrastructure, and people.