- Use WhiteSource Bolt to ensure that the application being built as part of the pipeline is scanned for any known security vulnerabilities in the open source library. https://samlearnsazure.blog/2019/11/08/managing-open-source-software-with-whitesource-bolt/
- Use SonarCloud Analysis for continuous inspection of application source code to locate common code patterns that are known to be problematic https://samlearnsazure.blog/2019/06/07/code-analysis-with-sonarcloud/
- The User flows feature helps to see how users navigate between the pages and features on the site And then you can what actions are being performed by the users. https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-flows
- Use Impact feature to see if the application performance is having an impact on the users who are using the application. https://docs.microsoft.com/en-us/azure/azure-monitor/app/usage-impact
- In Azure Security Center, you can go to the Compute and apps section. Here you can get recommendations on how to secure your web applications and functions.
- Azure Boards can be used as a replacement of the tool JIRA. https://azuredevopslabs.com/labs/azuredevops/agile/
- Azure Build Pipeline can be used as a replacement of the tool Jenkins https://www.azuredevopslabs.com/labs/vstsextend/azuredevopsprojectdotnet/
- Octopus is mainly used for Continuous Delivery and Deployment. In Azure DevOps you can make use of Release Pipelines https://azuredevopslabs.com/labs/vstsextend/octopus/
- Steps to carry out code quality validation are
- Prepare Analysis Configuration – First you prepare the analysis configuration for SonarCloud
- Visual Studio Build – Next you need to build your .Net project
- Visual Studio Test – Next run the unit tests
- Run Code Analysis – Then you run the code analysis using the SonarCloud tools
- Git in Azure Repos supports use of YAML files for Azure Pipelines
- GitHub Enterprise allows you to host a Git repository on your on-premise environment to keep it private.
- Subversion is a centralized source code versioning system.
- Selenium is a web testing tool that can be used to automate the User Interface testing for a web application.
- Use Conditional access in Azure AD to allow access to only devices that are connected to the on-premises network can access the Azure DevOps environment
- Project Vs Process
- Microsoft teams allows you to create multiple channels for communication and can be easily integrated into Azure DevOps.
- With the squash merge , the changes would be merged into a single commit and also consolidate the entire commit history.
- The lead time helps to focus on the time taken from the creation of work items to their completion
- Cycle time measures the time it takes for your team to complete work items once they begin actively working on them.
- The Burndown chart helps to focus on the remaining work within a specified time period.
- Cobertura can be used to provide code coverage for your Java based applications.
- IT Service Management connector to used to connect to the Service Now system.
- In Gitflow strategy
- The master branch is used for the production code
- The develop branch is used for the pre-production code
- Smart Detection automatically warns you of potential performance problems and failure anomalies in your web application. It performs proactive analysis of the telemetry that your app sends to Application Insights.
- Notify other applications on events that occur in Azure DevOps is to use service hooks subscriptions example teams notifiation
- Packages you host in Azure Artifacts are stored in a feed. Setting permissions on the feed allows you to share your packages with as many or as few people as your scenario requires.Feeds have four levels of access: Owners, Contributors, Collaborators, and Readers.
- To authenticate git without credentials, use personal access tokens (PATs) in Azure DevOps
- Authentications types
- Service connections available in Azure DevOps are:
- - Azure Classic
- - Azure Resource Manager
- - Azure Service Bus
- - Bitbucket Cloud
- - Chef
- - Docker Host
- - Docker Registry
- - External Git
- - Generic
- - GitHub
- - GitHub Enterprise Server
- - Jenkins
- - Kubernetes
- - Maven
- - npm
- - NuGet
- - Python package download
- - Python package upload
- - Service Fabric
- - SSH
- - Subversion
- - Team Foundation Server/Azure Pipelines
- - Visual Studio App Center
- Azure Pipeline commands
- Black Duck is plugin that allows automatic identification of open source security vulnerabilities, license compliance, and operational risks when a build process is triggered. Using this integration we can enforce policies to receive alerts and failed builds when violations occur, which can be leveraged in our case. Black Duck is powered by the world’s largest open-source Knowledge base containing information from over 13,000 unique sources and support for over 80 programming languages. (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/black-duck-software.blackduck_hub_431)
- Security Tool Vs Development stage
- PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. There is an Apache Maven PMD Plugin which allows you to automatically run the PMD code analysis tool on your project's source code and generate a site report with its results.(https://pmd.github.io/)
- Steps to use Azure Automation State Configuration to manage the ongoing consistency of virtual machine configurations
- Onboard a VM to be managed by Azure Automation DSC
- Upload a configuration to Azure Automation
- Compile a configuration into a node configuration
- Assign a node configuration to a managed node
- Check the compliance status of a managed node
- For containerized applications that serve traffic, you might want to verify that your container is ready to handle incoming requests. Azure Container Instances supports readiness probes to include configurations so that your container can't be accessed under certain conditions. The readiness probe behaves like a Kubernetes readiness probe. For example, a container app might need to load a large data set during startup, and you don't want it to receive requests during this time. YAML is used to setup a liveness probe. (https://docs.microsoft.com/en-us/azure/container-instances/container-instances-readiness-probe)
- Key questions to ask in Retrospective
- Who should have performed better?
- What could have gone better?
- What went well?
- Tools to use-
- flowchart-mermaid-- https://mermaid-js.github.io/mermaid-live-editor
- docs -- Markdown--https://stackedit.io/app#
- After setting up Application Insights for your project, and if your app generates a certain minimum amount of data, Smart Detection of failure anomalies takes 24 hours to learn the normal behavior of your app, before it is switched on and can send alerts.(https://docs.microsoft.com/en-us/azure/azure-monitor/app/proactive-failure-diagnostics)
- Pull requests Merge Types (https://devblogs.microsoft.com/devops/pull-requests-with-rebase/)
- Cherry-pick release workflow(https://devblogs.microsoft.com/devops/improving-azure-devops-cherry-picking/)
- Integrate Prometheus and Azure Monitor (https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-prometheus-integration)
- To prevent the configuration of the project from changing over time. Implement Continuous Assurance for the project. (https://azsk.azurewebsites.net/04-Continous-Assurance/Readme.html)