持续集成和持续交付或持续部署(CI/CD)

持续集成、持续交付和持续部署的区别是什么? 

The CI in CI/CD st和s for continuous integration. 持续集成意味着开发人员经常将他们的代码更改合并到共享存储库中. 它是一个自动化的过程，允许多个开发人员在没有集成冲突的情况下为同一个项目贡献软件组件. 无论何时将软件更改集成到存储库中，CI都涉及自动测试.

CD既可以表示持续交付，也可以表示持续部署. 两者都涉及持续集成代码，并使其能够部署到QA或生产环境中. 持续部署将流程推进一步，并在环境中执行实际部署.

CI/CD为什么重要?

当代码库的大部分发生变化时，它会使应用程序的质量面临更高的风险. 这是因为更改越大，出现故障的可能性就越大——更改越大，故障排除就越困难. 敏捷组织经常集成他们的代码并执行自动化测试，以减少引入成本, 识别根本原因, 修复bug.

自动化是持续集成的关键. 没有人能够手动保持持续集成成功所需的速度. 开发人员需要频繁地进行集成，并需要尽快得到反馈.

Continuous delivery 和 continuous deployment have similar goals, as they use automation to reduce the time, 努力, 和 risk involved in shipping a release. Continuous delivery is quick 和 efficient. Every build is automatically tested in each environment, 如果它通过了, the code can be manually deployed with a single click. 准备工作是自动化的，但是生产的推进通常是由运营团队发起的. 

With continuous deployment, in which the release to production is fully automated, you relinquish some control. At the same time, you gain additional advantages. 您可以以比已经非常快的持续交付更高的速度进行开发, since you don’t need to pause development for releases, 和 your customers will appreciate the steady stream of improvements.

What are Some Major Challenges with CI/CD?

CI/CD的好处很多，但是实现这个过程可能会带来挑战. 第一个, 而持续集成和持续交付/部署是相关的, they are distinct parts of the CI/CD pipeline. When organizations don’t underst和 the difference, they can end up implementing CI alone 和 calling it CI/CD. 为适当的CI/CD, 您的持续代码集成(可能是使用特定于ci的工具完成的)需要提供给自动化的流程以进行测试和部署. 

CI/CD involves many players. As with all DevOps methods, it requires strong collaboration between development, QA, 和 operations teams (another challenge in many organizations). 团队经常与开发、QA和运维所追求的看似矛盾的目标作斗争. 开发人员希望快速发布新代码并拥有创作自由. QA wants to test the code to minimize releases with any bugs. 运维部门希望代码以一种安全、准确和可控的方式发布和运行.

Luckily, a good CI/CD setup facilitates this type of cooperation. 开发人员保持生产力和效率，因为他们不需要花太多时间调试, 操作人员可以放心，代码已经为发布做好了充分的准备. The h和off from one team to another is automated 和 less painful. 为了达到最佳效果, 重要的是要确保每个人都清楚谁拥有管道的哪一部分以及整个过程. 

另一个挑战是了解如何实现新的CI/CD流程. 自动化是必不可少的, 是频繁的, 重复的流程可能会延迟CI/CD管道，并且如果手动完成，可能非常容易出错. 建议从一个小团队的自动化开始，向领导团队展示更广泛的自动化工作的成功. 

Security is a challenge for every organization these days, 在DevOps过程中，安全措施往往是事后才想到的，而这些措施本应在开发初期就加以集成 software development lifecycle (SDLC) 尽可能. 通过这种方式，安全风险可以在修复成本较低的时候及早发现.

Why Should You Adopt a CI/CD Model?

CI/CD facilitates a faster time to market. Automation streamlines parts of the process, while quicker error detection leads to less time putting out fires. 当你提供更定期的更新和积极的用户体验时，用户满意度也会提高. 

增量更改和CI的自动集成可以提高每次更新中的代码质量. 减少将错误代码推入生产环境的实例具有无数积极的业务影响.    

When speed 和 accuracy increase, costs drop. 您的CI服务器可以在几秒钟内运行数百个测试，从而大大降低了测试成本. You undoubtedly have competitors using CI/CD, 和 if you’re sticking with traditional models, 你会被抛在后面.

How to 开始 with CI/CD at Your Organization

Transitioning to CI/CD is best done in phases. 这允许开发人员学习和适应流程更改，并确保在将新流程引入生产系统之前对其进行全面测试.

To set yourself up for success with CI/CD, start with these steps:

1. 将软件从开发人员的机器中移出——解决任何差异——到版本控制(VC)进程中, 例如Git或SVN.
2. 使用Vagrant或类似的工具构建本地开发人员实例，以便进行一些本地测试.
3. 将代码推入VC和处理合并冲突的过程记录下来. Ensure your staff is properly trained.
4. Migrate code from the VC process to your production box as needed.

现在您已经建立了一个坚实的基础，可以在此基础上开始完整的CI/CD迁移, you can move to the next phase:

1. Add a staging server for devs to push to. This allows future QA tests before production.
2. 选择一个CI/CD工具，比如Jenkins，来自动化从登台到生产的推送. You may choose to introduce basic linting at this time.
3. Begin building in security with a Dynamic App 保护 Testing (DAST) 解决方案, 自动化QA测试, 和 any additional compilation steps (such as minimizing JavaScript, CSS, 连接文件, checking software sources for cf等.)

You now have a functional CI/CD process. 大部分的 安全自动化 will be executed by software, 但是，您的开发人员在软件和流程方面接受适当的培训是至关重要的.

Read More About Web应用程序安全

Learn about Rapid7's Web应用程序安全 Product

DevOps Security: Latest 新闻 from the 博客