Ensuring CI CD Pipeline Governance

With our new Pipeline Governance feature, you can now measure how compliant your Harness Pipelines are with your regulatory and operations standards.

What is Pipeline Governance?

Regulatory and operational compliance is critical in software development. Regulatory standards impact the entire SDLC, including development, testing, deployments, operations, and monitoring. There is no shortage of regulations that are designed to help protect organizational security and consumer privacy, including PCI, HIPAA, and SOX. With our new Pipeline Governance feature, you can now measure how compliant your Harness Pipelines are with your regulatory and operations standards.When a deployment pipeline is triggered within Harness, the deployment may wait for a manager to approve before a production release. During this approval process, the manager requires an understanding of pipeline compliance with their regulatory standards. We solved this by providing the ability to “score” a pipeline before approving a release.

What is a “score”?

A pipeline score is a measure of how compliant your Pipelines are with your regulatory and operations standards. In the same way that a Pipeline is made up of various workflows and stages, a score is made up of tags indicating compliance. Each tag is given a weight. The weight of the tag impacts the overall percentage score. For example, let’s assume you have two tags with the following weights:

• Foo - 1
• Bar - 1

Then, Foo and Bar are equally distributed at 50% to contribute to the overall 100% score. However, let’s introduce a third tag with a weight of 2:

• Foo - 1
• Bar - 1
• Hop - 2

The distribution counts Foo at 25%, Bar at 25%, and Hop at 50%. So, if Foo is missing in the compliance check, your score is 75% (since Foo accounts for 25% of the score). However is Hop is missing, your score is 50%.

How to score a pipeline

Throughout each stage — and associated workflow — in your pipeline, you have the opportunity to apply tags. Each tag can represent a compliance standard. For example:

• PCI
• HIPAA
• SOX

We go in-depth into our tag management feature here.

Depending on your requirements, you tag your workflows with whatever compliance standard necessary for your given workflow.

Creating a Governance Standard

Navigate to Continuous Security, then Governance. Click on +Add Governance Standard. Click on Add Rule and then proceed to add your rules. In this example, I’m going to add three tags: PCI, HIPAA, and SOX.Be sure to add each tag as it’s own rule and not all three tags under the same rule. This way, we can weigh each tag. So, I’ll give SOX a weight of 2 and the rest a weight of 1.Click on Advanced Settings and then associate your Governance Standard with the application you want to govern.

Measuring a Governance Standard

Navigating back to your pipeline, you’ll find your governance scores at the bottom of the pipeline configuration screen (Setup > [your application] > Pipeline). You’ll see which tags you’re monitoring for, their weight impact on the score, and the overall percentage score of your conformance!

You can learn more about this feature by visiting the docs.

More recent updates

• The latest major release of Elasticsearch is now supported for workflow verification and 24/7 Service Guard. Read more.
• Anomalies detected during workflow verification or by 24/7 Service Guard can now be easily tracked with Jira issues. Read more.
• Harness verification events can now be assigned a priority (P0…P5) or marked as Not a Risk to refine the accuracy of workflow verification and 24/7 Service Guard. Read more. Read more.
• Pipeline stages can now be disabled or executed conditionally, so you can:
• Temporarily turn off pipeline stages to edit or troubleshoot them.
• Conditionally run a workflow based on user input or a variable value determined while running the pipeline. Read more.

Give Us Your Harness Tips & Tricks!

Any customers who have a unique tip or trick on how they use Harness will be given a $25 gift card. (Disclaimer: Limited one per person and must be a unique use-case not marketed in any of our materials. Email marketing@harness.io with your story.