Contributors: - Andrea Frittoli, IBM, UTC+1 - <add your name> # Introduction Identify Continuous Delivery capabilities to be used as foundation component for the CD Reference Architecture. # Current Art The starting point for this document is the work done by the [SIG Best Practices][sig-bp], as well as capabilities identified by other groups and projects: - [SIG Best Practices][sig-bp]: - [Reference Architecture Capabilities][sig-bp-capabilties] - [OpenSSF][openssf]: - [Security Toolbest Capabilities (draft)][openssf-toolbest-capabilities] - [CNCF App Delivery TAG][cncf-app=delilvery-tag]: - [CNCF Platform Whitepaper][cncf-app-delivery-tag-wp] - [FRSCA][frsca] - [CNOE.io][cnoe] - [CDEvents][cdevents] - [Use Cases][cdevents-use-cases] - [Diagrams][cdevents-diagrams] [sig-bp]: https://github.com/cdfoundation/sig-best-practices [sig-bp-capabilties]: https://bestpractices.cd.foundation/architecture/capabilities/ [openssf]: https://openssf.org/ [openssf-toolbest-capabilities]: https://docs.google.com/document/d/1DtSaj2avvKCdXLcWu6W4-Np7uKVizLCTmI0KWxqVitE/edit#heading=h.x4xu96a3blxs [cncf-app=delilvery-tag]: https://tag-app-delivery.cncf.io/ [cncf-app-delivery-tag-wp]: https://tag-app-delivery.cncf.io/whitepapers/platforms/ [frsca]: https://github.com/buildsec/frsca [cnoe]: https://cnoe-io.github.io/website/ [cdevents]: https://cdevents.dev [cdevents-use-cases]: https://cdevents.dev/docs/primer/#use-cases [cdevents-diagrams]: https://drive.google.com/file/d/1dhdPlEIjD0kDkcFxWH7aoYXh-GXiM5-v/view?usp=sharing ## CDEvents <details> <summary>Expand</summary> ### Diagram  ### Components #### Software Configuration Management (SCM) * The SCM provides secure storage and versioning of source code * The SCM enables collaborative development for teams * Peer review * Issue management * Communication #### Build System * Tools and frameworks to build software artifacts #### Signing Tools * Tools and frameworks to sign source code and artifacts #### Artifact Storage * Systems where the artifacts are stored for further use (e.g., testing, delivery, deployment) #### Test Tools/Frameworks * Tools and frameworks to run tests which can take place in different phases of the CD flow * Unit test * Static analysis * Functional * Performance * Stability #### Events Broker #### "Choreographer" (Policy/Trigger) The "choreographer" watches all events and the content of the evidence store and applies business logic (policies) that control what happens next in the CD event-driven workflow. #### Policy Engine/Framework * Tools to define, maintain and enforce policies #### Evidence Store The evidence store collects all events in a secure way. #### Visualisation Tools The visualisation tools can work with live events, the evidence store and the metrics aggregator to provide various kind of visualisations, for instance - specific event-driven workflows, their current status - number of workflows in flow in the system - historical data and metrics - audit trail of specific artifacts #### Notification Engine #### Metrics Aggregator #### Monitoring and Observability System </details> </br> ### OpenSSF Security Toolbelt Capabilities <details> <summary>Expand</summary> #### Capabilities desired from the Upstream Secure Software Factory ##### Code & Pre-Build Secure Developer * It is desirable that developers have knowledge of how to develop software securely, that they understand common coding errors and patterns of behaviour that lead to security vulnerabilities, and have the means to highlight their security expertise. Secure Development Environment * It is desirable that developers have access to and use secure tools to create and test software. This would include various security tools such as SAST, fuzzers, etc. Secure Dependency Selection * It is desirable that developers select dependencies to select secure and sustainable projects and ensure they’re ingesting the intended components (countering typosquatting). Secure Source Code Management * It is desirable that developers and projects store source code for their software in secured repositories that help manage and track the integrity of that code. ##### Build Secure CI/CD - Build System * It is desirable that developers and projects use secure build systems that continuously integrate and build authorized software, and also leverage secure tools for automation of repeated tasks. ##### Post build ##### Publish Secure Publication/Distribution * It is desirable that developers and projects use secure methods and tools to publish and distribute their production-ready software to their downstreams. ##### Post publish #### Capabilities desired from Downstream Secure Integration/Operations Facility ##### Secure Ingestion * It is desirable that downstream consumers of upstream open source software have effective signaling and methods to identify and evaluate the security quality of open source software, dependencies, and libraries that they integrate into their own operations and software. ##### Secure Implementation * It is desirable that downstream consumers have sufficient instructions and tools to implement upstream software securely into their own operations and software. ##### Secure Maintenance * It is desirable that downstream consumers have the means to be informed of updates and changes to upstream software so that they can effectively maintain and operate that software in their own operations and software during the software’s supported lifecycle. #### Cross-Cutting Capabilities ##### Supply Chain Metadata Storage It is desirable for an organization implementing a secure SDLC to have a place to store, query, and analyze metadata pertinent to the prevention, detection, and remediation of supply chain security issues. ##### Supply Chain Control Plane It is desirable for an organization implementing a secure SDLC to have a centralized place to configure and manage the other capabilities to ensure consistent policy enforcement. </details> </br> ### CNOE <details> <summary>Expand</summary> * [Artifact Registries](https://cnoe-io.github.io/website/docs/capabilities/artifact-registry) * [Packaging and Templating](https://cnoe-io.github.io/website/docs/capabilities/packaging-and-templating) * [Code Repositories](https://cnoe-io.github.io/website/docs/capabilities) * [Config Repositories](https://cnoe-io.github.io/website/docs/capabilities) * [Secret Repositories](https://cnoe-io.github.io/website/docs/capabilities) * [Signing](https://cnoe-io.github.io/website/docs/capabilities) * [Developer Portal](https://cnoe-io.github.io/website/docs/capabilities) * [Identity and Access](https://cnoe-io.github.io/website/docs/capabilities) * [Infrastructure as Code (IaC)](https://cnoe-io.github.io/website/docs/capabilities) * [Continuous Delivery (CD)](https://cnoe-io.github.io/website/docs/capabilities) * [Workflow Orchestration](https://cnoe-io.github.io/website/docs/capabilities) * [Service Discovery](https://cnoe-io.github.io/website/docs/capabilities) * [Secret Management](https://cnoe-io.github.io/website/docs/capabilities) * [Validation](https://cnoe-io.github.io/website/docs/capabilities) * [Compute Platform](https://cnoe-io.github.io/website/docs/capabilities) * [Observability](https://cnoe-io.github.io/website/docs/capabilities) * [Deployment Targets](https://cnoe-io.github.io/website/docs/capabilities) </details> </br> ## CD Capabilities