Week 5 + 6: CI/CD + Security in Action

seHey Inner Circle,

Sorry for the slight delay — this was meant to go out yesterday, but I had to push it by a day.

As promised, here’s the combined session for weeks 5 and 6, where we connect the dots between code, infrastructure, and security.

We’ve covered the what (containers, Kubernetes) and the where (cloud infra), but now we’re focused on the how — how to deliver software securely and efficiently.

Quick note before we dive in → Cloud Security vs. DevSecOps:

• Cloud Security is about protecting cloud platforms, networks, and services at large.

• DevSecOps is about embedding those same security practices directly inside your software delivery pipelines.

Let’s dive into the topics first, followed by practical resources:

CI/CD Pipelines (called pipelines for a reason)

At its core, CI/CD is an automated assembly line for your code. It takes your source code and automatically builds, tests, and prepares it for release to production (where users can access your app/software).

I used to get confused if CD means continuous delivery or deployment, so let’s make it easy:

→ Continuous Integration (CI) → Developers frequently merge changes into a central repository, triggering builds and tests to catch bugs early.

→ Continuous Delivery (CD) → The process that delivers tested code into staging or testing environments (not production yet), with a manual approval step before production.

→ Continuous Deployment (CDp) → The release goes into production — every passing build goes live.

The main stages you’ll always see: Source → Build → Test → Deploy.

Learning Roadmap: CI/CD

Phase 1 → CI Fundamentals (The Automation Trigger)

This is about setting up the first half of the pipeline.

→ SCM Integration → connect to GitHub, GitLab.

→ Automated Builds → compile code with libraries/dependencies, build Docker images on each push.

→ Unit & Integration Testing → run tests automatically, fail fast if something breaks.

Resources to Review

→ Intro to Continuous Integration

→ CI/CD Explained - FULL FLOW

Expected Outcome: Configure a simple pipeline that builds and tests a containerized app whenever new code is pushed. Project:

Phase 2 → CD Fundamentals (Getting to Production)

This is the delivery half of the pipeline.

→ Artifact Management → You are pushing the image created in the build stage to Docker Hub or Cloud-based container registries.

→ Environments → In every org, there are multiple environments where the code is first deployed, common env names: dev, staging, qa, and then the are released or promoted to production targets/environment.

→ Deployment Strategies → this is when the code is going live (getting into production)

 ↳ Rolling Updates → replace gradually

 ↳ Blue-Green → switch between identical environments

 ↳ Canary Releases → test with a subset of users first

There are few more and you can review it through the youtube link below!

Resources to Review

→ Continuous Deployment vs Continuous Delivery

→ Top 5 Deployment Strategies - when to use each!!

Project to Review:

→ End-to-end CI/CD Project

Dive into GitOps now

What’s the difference between traditional CI/CD vs GitOps approach?

Note: GitOps CI/CD is the modern approach now!

Common steps in both pipelines:

• Source Code Commit → developer writes and commits code to a Git repository.

• Unit Tests → automated tests run to validate code functionality and quality.

• Build Artifacts → code is compiled and packaged into deployable artifacts.

• Build Image → Docker images are built from artifacts for containerized deployment.

• Push Image to Registry → built images are pushed to container registries like ECR, Azure Artifact, or GCR.

Key distinction in deployment (also for interviews):

→ DevOps CI/CD: direct push from the CI pipeline to cluster (EKS, AKS, GKE)

→ GitOps CI/CD: Git is the single source of truth — the cluster pulls the desired state from Git, enabling drift detection and automated reconciliation

Resources:

→ GitOps Explained

Project to try:

→ End-to-end GitOps Project

→ GitOps Project Series

Cloud Security & DevSecOps

Writing a pipeline is one thing; securing it is another. Similar for Cloud

Key Cloud Security Practices:

→ Shared Responsibility Model

→ Data Encryption

→ Identity and Access Management (IAM)

→ Network Security (e.g., Virtual Private Clouds, Security Groups)

→ Configuration Management and Monitoring and many more

Review the Cloud Security basics here..

Key DevSecOps Practices

→ SAST → scan source code for vulnerabilities pre-build

→ SCA → scan dependencies (npm, PyPI, Maven)

→ Container Scanning → scan Docker images (Trivy, Anchore)

→ IaC Scanning → validate Terraform, CloudFormation configs (Checkov)

→ DAST → test running apps in staging for security gaps

Resources to Review:

• DevSecOps Explained

• DevSecOps Project

Common Practice Grounds (Labs)

→ Google Cloud Skills Boost CI/CD Lab 

→ KodeKloud CI/CD Project

→ Implement Continuous Integration

→ AWS Hands-On Labs - DevOps

What’s Next?

With pipelines and security in place, the next logical step is Observability → how do you know what your app and infra are doing in production?

We’ll dive into the three pillars: Metrics, Logs, and Traces.

See you next week,

— Vishakha