GitOps is an approach to perform cloud operations (in DevOps way) by centralizing the desired state of system into code and enforcing change through automation via version control system (such as Git).
Git acts as a common place where workflows, automation, checks and balances can be applied before entering a production environment, enabling organizations with a crucial foothold to secure by design further than ever before.
By adopting GitOps, it means it is a commitment to interacting only with Git and leaving the integration and deployment jobs to be automated.
By ensuring that everything is code driven and declared, the risk from non-automated agents (a.k.a. humans) can be drastically minimized.
For example, using the automation workflows, you can embed compliance scans to enforce best-practices and regulatory mandates to prevent mis-configurations. With detection of configuration drift, it becomes easier and quicker to isolate vulnerable/compromised resources for investigation.
GitOps can leverage DevSecOps tools, such as IaC scanning, security testing, IAM and secret management. And by bringing a security-as-code and adding compliance requirements and security policies into coded artifacts, organizations can embrace GitSecOps to effectively shift the security left.
Seven steps to a successful GitSecOps approach:
- Applying identity and access controls
- Enforcing change control and peer review workflows
- Observing end-to-end
- Keep secrets safe (vault or eternal key managers)
- Protecting audit logs
- Catching the drift
- Monitoring anomalous behavior
Just like DevSecOps, GitSecOps also requires the adoption of a new mindset and culture to getting things done in a cloud native way.
Sharing common tools, processes and goals — focused on a successful shared outcome rather than an isolated deliverable — ensures that the DevSecOps and GitSecOps goals are aligned to support each other and the organization’s digital transformation vision.
Links: