Tools & Tool Mentors NUP recommended tools by discipline and technology stack
NUP provides Tool Mentors—guidance documents that describe how specific tools support NUP activities across the software development lifecycle. This section catalogs recommended tools organized by discipline and technology stack.
Guide Focus Area Use Cases Testing Tools Quality assurance Unit testing, integration, E2E, performance Security Tools Security analysis Threat modeling, scanning, penetration testing Build & Integration CI/CD pipeline Build automation, continuous integration Infrastructure Tools DevOps Infrastructure as code, containerization Design Tools Architecture Diagramming, modeling, documentation Requirements Tools Discovery Requirements management, user research
Category Tools Purpose Requirements Jira, Azure DevOps, Aha! Requirements capture and tracking User Research Miro, FigJam, Dovetail Customer journey mapping, research synthesis Prototyping Figma, Sketch, Axure UI/UX prototyping and validation
Category Tools Purpose Architecture C4 Model tools, draw.io, Lucidchart Architecture diagrams API Design OpenAPI/Swagger, Postman API specification Data Modeling dbdiagram.io, ERDPlus Database design
Category Tools Purpose IDE VS Code, IntelliJ, Visual Studio Code development Version Control Git, GitHub, GitLab, Azure DevOps Source code management Code Quality ESLint, Prettier, SonarQube Code standards enforcement
Category Tools Purpose Unit Testing Jest, JUnit, NUnit, pytest Unit tests Integration Cypress, Playwright, Selenium E2E testing Security OWASP ZAP, Snyk, SonarQube Security scanning
Category Tools Purpose CI/CD GitHub Actions, Jenkins, Azure Pipelines Automation Containers Docker, Kubernetes, Helm Containerization IaC Terraform, Pulumi, CloudFormation Infrastructure
Category Tools Purpose Monitoring Datadog, New Relic, Prometheus Observability Logging ELK Stack, Splunk, Loki Log management Alerting PagerDuty, OpsGenie, VictorOps Incident management
When selecting tools for NUP projects, consider:
tool_evaluation : regulatory_fit : - Audit logging capabilities - Data retention features - Access control granularity - Compliance certifications (SOC 2, ISO 27001) integration : - API availability - SSO/SAML support - Existing toolchain compatibility evidence_generation : - Report generation - Export capabilities - Traceability features Stack Primary Tools CI/CD Testing JavaScript/TypeScript VS Code, npm/pnpm GitHub Actions Jest, Playwright Java IntelliJ, Maven/Gradle Jenkins, GitHub Actions JUnit, Mockito .NET Visual Studio, NuGet Azure DevOps NUnit, xUnit Python PyCharm, pip/poetry GitHub Actions pytest, tox Go VS Code, go modules GitHub Actions go test, testify
Based on industry best practices and Microsoft Engineering Playbook guidance:
Category Recommended Alternative Framework React, Next.js Vue.js, Angular Styling Tailwind CSS CSS Modules, Styled Components Testing Vitest, Playwright Jest, Cypress Bundler Vite webpack, esbuild
Category Recommended Alternative API Node.js, .NET, Go Java Spring, Python FastAPI Database PostgreSQL MySQL, SQL Server Cache Redis Memcached Message Queue RabbitMQ, Kafka AWS SQS
Category Recommended Alternative Cloud AWS, Azure, GCP Self-hosted Containers Docker, Kubernetes ECS, Cloud Run IaC Terraform Pulumi, CloudFormation Secrets HashiCorp Vault AWS Secrets Manager
This section fulfills ISO 13485 requirements for infrastructure (6.3), monitoring and measuring equipment (7.6), and validation of software (7.5.2), and ISO 27001 requirements for asset management (A.5.9), secure development environment (A.8.31), and configuration management (A.8.9).
View full compliance matrix
How is this guide?
