Enable continuous delivery with open source compliance. Break the legal and security compliance jail with microservices and serverless architecture for development and operations.

1. Set the developers free
Break the compliance jail for Open Source with DevOps
OSCON 2017 #OSCON
Bianca Jiang
Software Architect
IBM
https://www.linkedin.com/in/biancajiang/
@biancajiang
Steve Gerdt
Open Source Program Director
IBM

2. • 99% of Global 2000 enterprises included OSS in mission-
critical applications
• At Least 95% of IT Organizations Leverage Nontrivial
Elements of Open-Source Software
• By 2018, 70% of new applications will run on open source
databases
However,
• 50 percent of companies have no formal policy for selecting
and approving open source code.
• 47 percent of companies don’t have formal processes in place
to track open source code
• More than one-third of companies have no process for
identifying, tracking or remediating known open source
vulnerabilities.

3. “The risks associated with license compliance and
intellectual property (IP) protection cannot be
ignored--enterprises must govern their OSS usage.”
- Gartner

4. “The risks associated with license compliance and
intellectual property (IP) protection cannot be
ignored--enterprises must govern their OSS usage.”
- Gartner
Security breaches represent a risk most developers
can't afford to take.
- Mozilla

5. Tiered Governance
• Tiered review levels:
• usage cases
• licenses
• business needs
• risk acceptance
• Can evolve: new risks criteria, new
exemption criteria, etc.
• Education

6. Manual
Many, many tools
Fragmented, inconsistent
Cross team collaboration
Not continuous!

8. DevOps Culture Approach

9. OSS
Can governance be coded?

10. OSS Governance
Services
Can governance be coded?

12. Get truth
from the code

13. Get truth
from the code
Extensibility

14. Get truth
from the code
Extensibility
CI

15. Webhook trigger
Jenkins copies repo:
- source code
- tests code
Jenkins executes:
- builds
- tests
Push / PR merge
Developers

16. Webhook trigger
Jenkins copies repo:
- source code
- tests code
Jenkins installs
compliance tooling
Jenkins executes:
- builds
- tests
Push / PR merge
Developers

17. Webhook trigger
Jenkins copies repo:
- source code
- tests code
Jenkins installs
compliance tooling
Jenkins executes:
- builds
- tests
Jenkins executes
compliance scan
Push / PR merge
Developers
Compliance Scan

18. Webhook trigger
Jenkins copies repo:
- source code
- tests code
Jenkins installs
compliance tooling
Jenkins executes:
- builds
- tests
Jenkins executes
compliance scan
Push / PR merge
Developers
Compliance Scan
Governance Services

19. Webhook trigger
Jenkins copies repo:
- source code
- tests code
Jenkins installs
compliance tooling
Jenkins executes:
- builds
- tests
Jenkins executes
compliance scan
Push / PR merge
Developers
Compliance Scan
Governance Services
Compliance Services

20. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
Developers

21. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
Developers
Docker image pulls
compliance tooling

22. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Scan
Governance Services
Compliance Services

24. Incremental Compliance

26. Review
once,
never
again!

27. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Check
Governance Services
Compliance Services

28. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Check
Governance Services
Compliance Services

29. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Check
Governance Services
Compliance Services
1. Jenkins
retrieves
compliance
result

30. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Check
Governance Services
Compliance Services
1. Jenkins
retrieves
compliance
result
2. Jenkins
interpret the
result for action
items

31. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Check
Governance Services
Compliance Services
1. Jenkins
retrieves
compliance
result
2. Jenkins
interpret the
result for action
items
3. Jenkins
create a tracking
item for the
target team

32. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
Compliance Check
Governance Services
Compliance Services
1. Jenkins
retrieves
compliance
result
2. Jenkins
interpret the
result for action
items
3. Jenkins
create a tracking
item for the
target team

33. Webhook trigger
Jenkins copies repo:
- Dockerfile
- source code
- tests code
Jenkins executes:
- create docker
image from
Dockerfile
Docker container is
initiated to execute:
- build
- tests
- compliance scan
Docker image pulls
compliance tooling
Developers
1. Jenkins
retrieves
compliance
result
2. Jenkins
interpret the
result for action
items
3. Jenkins
create a tracking
item for the
target team
Compliance Check
Governance Services
Compliance Services

34. Compliance Check
Governance Services
Compliance Services

35. Compliance Check
Governance Services
Compliance Services

36. Compliance Check
Governance Services
Compliance Services

37. Developers
Release managers
Legal
Compliance Check
Governance Services
Compliance Services

38. Developers
Release managers
Legal
Compliance Check
Governance Services
Compliance Services

39. Developers
Release managers
Legal

40. Developers
Release managers
Legal

41. Developers
Release managers
Legal

48. doc (event) issue (function)
Rule
(map)
Event-driven Architecture

49. Rule (map)
● Database Change
● Cron job
● HTTP request
● Domain events
● Etc.
If This
● Perform logic
● Invoke APIs
● Chain other microservices
● Send notifications
● Etc.
Then That
Trigger (event) Action (function)

50. Doc Change
(event)
OpenWhisk
Github
Issue
(action)
Demo: Event-Driven Architecture
with Serverless/FaaS
https://www.youtube.com/watch?v=405sscVHBgU

51. OpenWhisk

52. Compliance
Services Requires Review (feed)

53. Compliance
Services
Knowledge
Services
Requires Review (feed)
Just Reviewed (feed)

54. Compliance
Services
Knowledge
Services
Requires Review (feed)
Just Reviewed (feed)
Governance
Services
Req Changed (feed)

55. Compliance
Services
Knowledge
Services
Governance
Services
Developers
Release managers
Legal

56. Compliance
Continuous DeliveryGovernance

57. @biancajiang