Installation and administration guide
CI/CD and DevOps Approach

CI/CD and DevOps

The Sciamus Order Management system has been prepared for deployment in accordance with the CI/CD paradigm. Helm charts are provided to enable seamless integration of the build and deployment stages into the infrastructure of the target environment. All parameterization is handled via values files for each individual microservice.

Our development process is based on automated procedures that ensure:

  • High code quality
  • Robust dependency management
  • Full license compliance

Each new version undergoes automated code scanning using tools like SonarQube, ensuring adherence to coding standards, security guidelines, and performance benchmarks.

Dependency management is handled via automated tools that monitor and verify third-party libraries, maintaining compatibility, security, and stability. This helps prevent version conflicts and ensures the system remains current with the latest patches and improvements.

License governance ensures all third-party components comply with legal and organizational policies. Automated checks validate that all dependencies align with approved licenses, mitigating legal and compliance risks.

Automation of Trivy Scanning and SonarQube Analysis in Pipelines

Source Code Scanning and Static Analysis

In the first stage of the CI/CD pipeline:

  • Trivy scans the pom.xml file to identify vulnerabilities in project dependencies.
  • SonarQube performs static code analysis to assess code quality and detect potential security risks.

Logging and Presentation of Results:

  • Trivy scan results are displayed in the console and stored as artifacts for developer review.
  • Trivy output is also sent to a database for visualization via Grafana.
  • SonarQube results are stored per project and branch and also visualized in Grafana.

Image Scanning After Build

After container image build:

  • Trivy performs a full scan of the image to detect vulnerabilities.
  • Results are stored in the database and visualized in Grafana.

This ensures developers have visibility into both code and container image security across the build lifecycle.

Good Practices in DevSecOps

To ensure security throughout the delivery pipeline, the following DevSecOps practices are recommended:

  • Source Code Scanning – Regular use of SonarQube for early detection of code issues and vulnerabilities.
  • Dependency Scanning – Automated Trivy scans of configuration files (e.g., pom.xml) to identify insecure or outdated libraries.
  • Container Image Scanning – Post-build Trivy scans to detect vulnerabilities in runtime images.
  • Container Image Signing – Use of cryptographic signatures to validate the integrity and authenticity of container artifacts.
  • Secret Scanning – Detection of sensitive data (e.g., API keys, credentials) in the codebase and commit history. Pre-commit hooks and pipeline enforcement can help mitigate accidental exposures.
  • Use of Distroless Images – Building containers from distroless images to minimize attack surface by eliminating unnecessary packages and tools.
IntroHow to deploy?