In this video we will take a look at the principles and goals that drive automating validation within a CI/CD process, as well as the types of automated validation. Automated validation is a core principle of CI/CD. No organization will adopt a fully automated process, of building and deploying applications to production, if they aren’t confident the code being deployed: has been validated, is free of bugs, meets business requirements, and is secure. This can only be possible by automating these validation steps as a part of the CI/CD process There are five main types of automated validation. Testing Security scanning and validation Regulatory compliance Documentation, and Code quality and analysis Let’s take a deep look at each of these topics. Automated testing represents a collection of practices to verify the correctness of your application. Automated testing comes in many forms and can be executed across different phases of the CI/CD process. During the build phase there is: Unit testing, which validates an applications internal behavior is correct, Integration testing, which checks to make sure an application can communicate with remote processes, and Behavior testing, a high-level testing which makes sure an application is meeting business requirements. Additionally, there is also testing that would be executed against a deploy application. Types of testing that might be executed during this phase include: Performance testing, to verify an application is meeting performance requirements, End-to-End testing, verifying that processes that might span multiple systems and services can complete successfully, and Visual testing, a somewhat newer area of automated testing that verifies an application is meeting visual criteria. Security validation is a key step in CI/CD process, but probably not where many organizations might think. Organizations spend a lot of effort building and maintaining their applications, so there can be a tendency to focus on the code they have written to look for security vulnerabilities. The reality though, is only a small portion of the code running production is the actual application code written within an organization. Applications depend upon frameworks, third party libraries, application servers, runtimes, operating systems and so on to function in a production environment. These dependencies represent vastly larger surface areas for hackers to exploit, so it is critical that to include in the CI/CD processes that scan dependencies for known exploits. Many organizations face regulatory requirements. Such as in the areas of: Accessibility Data security and integrity, System and data access, And change control management. Fulfilling these regulatory requirements might mean making sure an application meet certain design criteria, or a specific type of reporting is produced. Automating these tasks can not only provide substantial labor savings, but often do a better job of fulfilling regulatory requirements as they can be more detailed or consistent. Documenting an application or system is often a dreaded task, pushed off until the end of project, hastily done, and rarely updated. It isn’t uncommon for an application’s supporting documentation to be found incomplete or inaccurate While automation can’t entirely replace this process, it can help. Tools and standards like Swagger and OpenAPI can be added to projects to automatically generate documentation about a project API. Test tools like Cucumber or Spring REST Docs, either natively, or through 3rd party plugins, can generate documentation directly from their test definitions. Many languages also support a documentation definition standard for defining class, methods, and members, like Javadoc for Java or JSDoc for Javascript. These tools and standards can be added to the CI/CD process to automatically generate and publish documentation about an application. Code quality checks, often in the form of static code analysis, can also be added to CI/CD processes. Static code analysis can be used to: make sure code meets an organization style guidelines, Doesn’t contain common bugs, for example infinite loops, or dead code, Check for common security vulnerabilities, like hardcoded passwords, And Check for code that might be lacking proper test coverage. During this video we covered: Importance of Automated Validation to CI/CD, The goals of automated validation, And the different types of automated validation.
