DevOps Checklist

Once a repository has all the documentation needed to promote voluntary, asynchronous contributions, it's time to standardize and automate how you test, build, release, and deploy your software.

Tasks

1. Test
   1. Code standards compliance (linting)
   2. Dependency drift
   3. Static Application Security Testing (SAST)
   4. Unit testing
   5. Legal compliance
2. Build
   1. Compilation
   2. Tree-shaking (elimination of unused code)
   3. Minification
   4. Bundling
3. Review
   1. Feature verification
   2. Fix verification
   3. Dynamic Application Security Testing (DAST)
4. Stage
5. Deploy
   1. A/B Testing
   2. Feature toggling
6. Release
   1. Versioning
   2. Documentation
7. Cleanup

Test

...

Code standards compliance (linting)

...

Dependency drift

...

Static Application Security Testing (SAST)

Analyze your source code for known vulnerabilities using Static Application Security Testing (SAST).

Language (package managers) / framework	Scan tool
.NET	Security Code Scan
Any	Gitleaks and TruffleHog
Apex (Salesforce)	pmd
C/C++	Flawfinder
Elixir (Phoenix)	Sobelow
Go	Gosec
Groovy ( Ant , Gradle , Maven and SBT )	SpotBugs with the find-sec-bugs plugin
Java ( Ant , Gradle , Maven and SBT )	SpotBugs with the find-sec-bugs plugin
Javascript	ESLint security plugin
Node.js	NodeJsScan
PHP	phpcs-security-audit
Python ( pip )	bandit
Ruby on Rails	brakeman
Scala ( Ant , Gradle , Maven and SBT )	SpotBugs with the find-sec-bugs plugin
Typescript	TSLint config security

NOTE: Note: The Java analyzers can also be used for variants like the Gradle wrapper, Grails and the Maven wrapper.

Unit testing

...

Legal compliance

...

Build

...

Compilation

...

Tree-shaking (elimination of unused code)

...

Minification

...

Bundling

...

Review

...

Feature verification

...

Fix verification

...

Dynamic Application Security Testing (DAST)

...

Stage

...

Deploy

...

A/B Testing

...

Feature toggling

...

Release

...

Versioning

...

Documentation

...

Cleanup

...