Add organizational implementation and best practices documentation #552
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| title: Organizational implementaion | ||
| bookCollapseSection: true | ||
| weight: 610 | ||
| summary: "Practical guide to plan, roll out, and operate Kosli across teams." | ||
| --- | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,47 @@ | ||||||
| --- | ||||||
| title: 'Technical best practices' | ||||||
| weight: 140 | ||||||
| summary: "" | ||||||
| --- | ||||||
|
|
||||||
| ## Naming convention | ||||||
|
|
||||||
| * Flows: | ||||||
| * CI part: name your flows like "repo"/"application". | ||||||
| * CD part: name your flow "release-name" | ||||||
| * Trail: | ||||||
| * Default to SHA | ||||||
| * Others could be release version (Git tag), merge number etc. | ||||||
|
Contributor
There was a problem hiding this comment. Could also be covered by Semantic Versioning, e.g: |
||||||
|
|
||||||
| ## Flow grouping | ||||||
|
|
||||||
| Centralized pipelines means that you will get a lot of flows based on the same template. | ||||||
|
|
||||||
| Solution; Add tags to your flows so that all with the same "template" will have the same tag. In that way you do not need to know the name, but can evaluate based on tags. | ||||||
|
Contributor
There was a problem hiding this comment. We could consider if tagging should have it's own section or page, since it spans different resources (envs, flows, etc.). Only page I find on tagging is: Which is more CLI reference than conceptual. Also reported this small bug on the page: |
||||||
|
|
||||||
| ## Governance | ||||||
|
|
||||||
| * Streamline your pipelines | ||||||
|
|
||||||
| ## Automatic creation of elements | ||||||
|
|
||||||
| The creation commands (`kosli create attestation-type`, `environment`, `flow` etc) have a "create or update" behaviour. That means that you can set creation of environments, policies, flows etc. inside your pipeline. If the information is the identical to what is stored in Kosli, no action will be taken. If the information differes, it will update the current object. | ||||||
|
|
||||||
| ## Too many custom attestation types for test formats | ||||||
|
|
||||||
| * Use [Common Test Report Format](https://ctrf.io/). Create one custom attestation type: | ||||||
| `kosli create attestation-type ctrf --jq ".results.summary.failed > 0" --schema schema.json` | ||||||
| * Use that across your test report types to make a uniform JSON structure to query afterwards. | ||||||
|
|
||||||
| ## Environment policies | ||||||
|
|
||||||
| When creating policies, we have found it best to split up policies into their logical units. That way, it is easier to maintain and understand the logical connection between requirements. | ||||||
|
|
||||||
| An example of that would be the Cyber-Dojo environment policy repository on [Github](https://github.com/cyber-dojo/kosli-environment-policies). | ||||||
|
Contributor
There was a problem hiding this comment. Idea for future considerations:
Contributor
There was a problem hiding this comment. This is something I'd like to discuss - we need a way to "promote" custom attestation types we see again and again to be more built in - without needing to do CLI/Server development.
Contributor
There was a problem hiding this comment. @sofusalbertsen have also mentioned Rego/OPA for this. This will perhaps standardize policy definitions, which I see as a good thing. From what I've heard (haven't tried it much myself), Rego has a somewhat steep learning curve. So it still might make sense to provide common policies (in this format), in some kind of store, for customers to consume? |
||||||
|
|
||||||
| In that repository we have four poilicices attached: | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| * artifact-provenance.yml to make sure that all artifacts going in to this environment has provenance. | ||||||
| * compliant-build-process.yml | ||||||
| * pull-request.yml The trail the artifact is attested to needs to be merged through a pull request | ||||||
| * security-scan.yml The trail the artifact is attested to has a security scan attestation associated. | ||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| --- | ||
| title: "Org structures" | ||
| weight: 2 | ||
| summary: "" | ||
| --- | ||
|
|
||
| # Org structrues | ||
|
|
||
|
|
||
| ### Production | ||
|
|
||
| This is your live environment for customer-facing applications. It's the destination for all final data and workflows, and data here is considered business critical. | ||
|
|
||
| ### Pre-Production (Dry Run) | ||
|
|
||
| This environment is used to test compliance workflows and processes before they impact live systems. For example, it's a safe space for new teams to test attestation workflows during onboarding without cluttering the production environment. Data here is temporary. | ||
|
|
||
| ### Development (CI/CD) | ||
|
|
||
| The Development environment is where the compliance teams test new features and attestation types. | ||
| It's a key part of your CI/CD pipeline, used for automated smoke tests and quality checks to ensure new code works as expected. Data in this environment is temporary. | ||
|
|
||
| ### Sandbox (Personal) | ||
|
|
||
| This is a personal workspace for individual developers to experiment and learn. It's a flexible, low-risk environment for trying out new tools or configurations, separate from shared development resources. Data in this environment is temporary. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/is not allowed in flow names.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in cyber-dojo, Jon has been using a -ci suffix for now