Pipeline Governance – Measuring Regulatory Compliance

With our new Pipeline Governance feature, you can now measure how compliant your Harness Pipelines are with your regulatory and operations standards. 

By Omed Habib
November 27, 2019

With our new Pipeline Governance feature, you can now measure how compliant your Harness Pipelines are with your regulatory and operations standards.

What is Pipeline Governance?

 

Regulatory and operational compliance is critical in software development. Regulatory standards impact the entire SDLC, including development, testing, deployments, operations, and monitoring. There is no shortage of regulations that are designed to help protect organizational security and consumer privacy, including PCI, HIPAA, and SOX. With our new Pipeline Governance feature, you can now measure how compliant your Harness Pipelines are with your regulatory and operations standards. 

When a deployment pipeline is triggered within Harness, the deployment may wait for a manager to approve before a production release. During this approval process, the manager requires an understanding of pipeline compliance with their regulatory standards. We solved this by providing the ability to “score” a pipeline before approving a release. 

What is a “score”? 

A pipeline score is a measure of how compliant your Pipelines are with your regulatory and operations standards. In the same way that a Pipeline is made up of various workflows and stages, a score is made up of tags indicating compliance. Each tag is given a weight. The weight of the tag impacts the overall percentage score. For example, let’s assume you have two tags with the following weights:

  • Foo – 1
  • Bar – 1

Then, Foo and Bar are equally distributed at 50% to contribute to the overall 100% score. However, let’s introduce a third tag with a weight of 2:

  • Foo – 1
  • Bar – 1
  • Hop – 2

The distribution counts Foo at 25%, Bar at 25%, and Hop at 50%. So, if Foo is missing in the compliance check, your score is 75% (since Foo accounts for 25% of the score). However is Hop is missing, your score is 50%. 

How to score a pipeline

Throughout each stage — and associated workflow — in your pipeline, you have the opportunity to apply tags. Each tag can represent a compliance standard. For example:

  • PCI
  • HIPAA
  • SOX

For a refresher on our tagging feature, check out this article

Depending on your requirements, you tag your workflows with whatever compliance standard necessary for your given workflow. 

Creating a Governance Standard

Navigate to Continuous Security, then Governance. Click on +Add Governance Standard. Click on Add Rule and then proceed to add your rules. In this example, I’m going to add three tags: PCI, HIPAA, and SOX. 

Be sure to add each tag as it’s own rule and not all three tags under the same rule. This way, we can weigh each tag. So, I’ll give SOX a weight of 2 and the rest a weight of 1. 

Click on Advanced Settings and then associate your Governance Standard with the application you want to govern. 

Measuring a Governance Standard

Navigating back to your pipeline, you’ll find your governance scores at the bottom of the pipeline configuration screen (Setup > [your application] > Pipeline). You’ll see which tags you’re monitoring for, their weight impact on the score, and the overall percentage score of your conformance! 

You can learn more about this feature by visiting the docs

More recent updates

Give Us Your Harness Tips & Tricks!

Any customers who have a unique tip or trick on how they use Harness will be given a $25 gift card. (Disclaimer: Limited one per person and must be a unique use-case not marketed in any of our materials. Email marketing@harness.io with your story. 

➞ Back to Blog

Leave a Reply

avatar
  Subscribe  
Notify of