CI/CD & DevOps
Continuous integration, delivery, and DevSecOps practices for regulated software
DevOps is a cultural and technical approach that combines development and operations teams to deliver software continuously, safely, and reliably. For regulated environments, DevOps practices must balance speed with compliance and quality requirements.
What is DevOps?
DevOps is the collaboration of development and operations teams, integrated processes, and tooling to deliver software-driven innovation continuously.
DevOps Adoption Paths
The DevOps lifecycle consists of six adoption paths that allow teams to focus on immediate needs and grow from there:
| Adoption Path | Focus Area | Key Activities |
|---|---|---|
| Continuous Business Planning | Plan & Measure | Lean principles, OKRs, adapt and learn |
| Collaborative Development | Develop & Test | Cross-team collaboration, CI, code reviews |
| Continuous Testing | Develop & Test | Automated testing, virtualized environments |
| Continuous Release & Deploy | Release & Deploy | Automated deployments, push-button releases |
| Continuous Monitoring | Monitor & Optimize | Performance tracking, availability monitoring |
| Continuous Optimization | Monitor & Optimize | Customer feedback, behavior analysis |
DevOps Principles
Culture
- Collaboration: Break down silos between Dev, Ops, Security, and QA
- Shared Responsibility: Everyone owns quality and reliability
- Learning Culture: Blameless post-mortems, continuous improvement
- Customer Focus: Deliver value continuously
Automation
- Build Automation: Consistent, repeatable builds
- Test Automation: Fast feedback on quality
- Deployment Automation: Reliable, frequent deployments
- Infrastructure Automation: Consistent environments
Measurement
- Lead Time: Time from commit to production
- Deployment Frequency: How often you deploy
- Change Failure Rate: Percentage of failed deployments
- Mean Time to Recovery: Time to restore service
DevOps Pipeline
Pipeline Stages
| Stage | Purpose | Tools |
|---|---|---|
| Source | Version control, code review | Git, GitHub, GitLab |
| Build | Compile, package | Maven, npm, Docker |
| Unit Test | Test individual components | Jest, JUnit, pytest |
| Security Scan | SAST, SCA, secrets detection | Semgrep, Snyk, Gitleaks |
| Integration Test | Test component interactions | Testcontainers, Postman |
| E2E Test | Test complete workflows | Playwright, Cypress |
| Deploy | Release to environments | Kubernetes, Terraform |
Environments
Environment Parity
- Use identical configurations across environments
- Use same deployment process for all environments
- Test deployments before production
- Detect environment-specific issues early
DevOps for Regulated Industries
Compliance Integration
| Requirement | DevOps Practice |
|---|---|
| Audit Trail | Git history, pipeline logs, artifact provenance |
| Change Control | Pull requests, approvals, automated deployments |
| Traceability | Requirement → Test → Build → Deploy |
| Validation | Automated testing, environment validation |
| Documentation | Auto-generated from pipeline artifacts |
FDA/HIPAA Considerations
- Maintain Design History File (DHF) artifacts
- Document validation activities
- Preserve evidence of testing
- Control access to production deployments
- Audit all changes and deployments
Pipeline Compliance Controls
# Example: Compliance-aware pipeline
stages:
- build
- test
- security
- compliance-check
- deploy
compliance-check:
stage: compliance-check
script:
- ./scripts/verify-test-coverage.sh
- ./scripts/verify-approvals.sh
- ./scripts/generate-audit-report.sh
artifacts:
paths:
- audit-report.pdf
- compliance-evidence/Key Metrics (DORA)
The DevOps Research and Assessment (DORA) metrics measure DevOps performance:
| Metric | Elite | High | Medium | Low |
|---|---|---|---|---|
| Deployment Frequency | On-demand | Daily-Weekly | Weekly-Monthly | Monthly+ |
| Lead Time for Changes | < 1 hour | 1 day - 1 week | 1 week - 1 month | 1-6 months |
| Change Failure Rate | 0-15% | 16-30% | 16-30% | 46-60% |
| Time to Restore Service | < 1 hour | < 1 day | 1 day - 1 week | 1 week+ |
DevOps Tools Ecosystem
CI/CD Platforms
| Tool | Type | Features |
|---|---|---|
| GitHub Actions | Cloud | Native GitHub integration |
| GitLab CI | Cloud/Self-hosted | Integrated DevOps platform |
| Jenkins | Self-hosted | Highly customizable |
| Azure DevOps | Cloud | Enterprise features |
| CircleCI | Cloud | Fast builds, good caching |
Infrastructure & Deployment
| Tool | Purpose |
|---|---|
| Kubernetes | Container orchestration |
| Terraform | Infrastructure as Code |
| Ansible | Configuration management |
| ArgoCD | GitOps deployments |
| Helm | Kubernetes package manager |
Monitoring & Observability
| Tool | Purpose |
|---|---|
| Prometheus | Metrics collection |
| Grafana | Visualization |
| Datadog | Full-stack monitoring |
| PagerDuty | Incident management |
Best Practices
Do
- Automate everything possible
- Keep pipelines fast (< 10 minutes ideal)
- Deploy frequently in small batches
- Monitor everything
- Practice infrastructure as code
- Implement feature flags
- Conduct blameless post-mortems
Don't
- Skip tests to deploy faster
- Make manual changes to production
- Ignore security in the pipeline
- Create environment-specific code
- Deploy without rollback capability
- Accumulate technical debt in pipelines
Related Resources
- Continuous Integration
- Continuous Delivery
- Infrastructure as Code
- DevSecOps
- Automated Testing
- Microsoft Playbook: CI/CD
Compliance
This section fulfills ISO 13485 requirements for software validation (4.1.5), design changes (7.3.7), control of production (7.5.1), control of records (4.2.4), and traceability (7.5.3), and ISO 27001 requirements for secure development lifecycle (A.8.25), environment separation (A.8.31), change management (A.8.32), configuration management (A.8.9), and secure architecture (A.8.27).
How is this guide?
Last updated on