Skip to main content
Version: Next

Pillars of Creation CI/CD Pipeline for your App

Introduction

This guide will walk you through setting up the "Pillars of Creation" pipeline in your GitLab instance, covering initial configuration, prerequisites, and deployment procedures.

The Pillars of Creation is a robust Continuous Integration and Continuous Deployment (CI/CD) pipeline designed to facilitate efficient and secure software development. It is structured around four main pillars, each representing a critical stage in the software delivery process:

  1. Pipeline Trigger
  2. Code Analysis & Artifact Build
  3. Artifact Analysis
  4. GitLab Local Registry

By integrating automated processes for code quality, security, and artifact management, the pipeline ensures robust and reliable software delivery.

Audience

This documentation is intended for:

  • Software Developers: Professionals involved in writing and maintaining code.
  • Software Engineers: Individuals engaged in the broader aspects of software development, including system design, testing, and deployment.

Whether you're new to the Pillars of Creation pipeline or looking to deepen your understanding, this guide will assist you in navigating its features and functionalities.

Prerequisites

Before you begin, ensure you have the following items ready:

tip

It is recommended to create variables at the Group level in GitLab. This will make them accessible to all projects within that group.

Required Tools and Access

  • GitLab Account: Access to the target project's GitLab repository.
  • Sonarqube Project Access: Open a SmoothGlue Jira Service Desk ticket to get your project added and hooked up to Sonarqube.
  • Pre-Commit Tool: Installed locally for pre-commit code checks.
note

Ensure you have the necessary permissions to view project settings and CI/CD variables.

Terminology

  • CI/CD: Continuous Integration and Continuous Deployment. A strategy for automating code integration, testing, and deployment.
  • NIST: National Institute of Standards and Technology. Manages the National Vulnerability Database (NVD) used for security vulnerability assessments.
  • NeuVector: A security platform for container vulnerability scanning.

Verify Initial Setup

Your Organization Administrator should have setup these variables already. We are just verifying that here.

1. Verify CI/CD Tokens

The container image requires access via CI tokens for registry authentication:

  1. Navigate to your project in GitLab.
  2. Go to Settings > CI/CD > Token Access.
  3. Verify that the necessary tokens are properly set up for registry access.

2. Verify NIST API Key

The pipeline utilizes the NVD_API_KEY for dependency vulnerability checks (required if you are building the dependency-check container image):

  1. In your GitLab project, navigate to Settings > CI/CD > Variables.
  2. Verify that the NVD_API_KEY variable key and value exists.

3. Verify NeuVector API Key

For container vulnerability scanning:

  1. In your GitLab project, navigate to Settings > CI/CD > Variables.
  2. Verify that the NV_X_AUTH_APIKEY variable key and value exists.