CI/CD is Key: Insights from the 2021 ATARC Federal DevSecOps Survey (Part 1)

The Advanced Technology Academic Research Center (ATARC), in partnership with the U.S. Air Force, conducted a large scale survey on the current status, challenges, successes, and vision for the future in the Federal DevSecOps landscape. In this series of blog posts we’ll be reviewing the results from the 2021 ATARC Federal DevSecOps Survey and highlighting key takeaways from the responses of the nearly 300 technical professionals in the public sector that participated.


By: Traci Robinson-Williams, Technology Business Strategist | Digital & Cultural Transformation Evangelist, GitLab

We’ll begin by focusing on the importance of maintaining a continuous integration/continuous delivery (CI/CD) pipeline and the challenges inherent in source code management (SCM).

Increasing Velocity & Avoiding Merge Hell

57% of survey respondents indicated that automating their CI/CD pipelines was the primary reason they have been able to increase the velocity of their code delivery. This isn’t surprising. Providing an automated CI/CD pipeline allows developers to focus on what they do best: developing code and sending it back to the relevant branch via a merge request (MR). In this model the work inherent in developing and testing a build are taken care of automatically by CI/CD tooling available from a vendor like GitLab.

As the name suggests, CI tooling runs automated compatibility and security tests, ensuring that MRs are checked for compatibility, so nothing is broken, and safety, so no vulnerabilities are added to the master branch, in a continuous fashion. The former helps avoid merge conflicts from devolving into so-called “merge hell.” The latter helps protect the integrity of the applications business users depend on, a particularly important facet in the public sector.

Absent CI tooling, development teams cannot operate in a truly agile fashion, instead being forced to wait for all MRs to be submitted and only then checked for security and compatibility. This necessarily lengthens the software development lifecycle (SDLC) by not allowing teams to catch compatibility conflicts earlier, when they could more easily be fixed. Continuous delivery tooling likewise saves development time and speeds up the SDLC by creating automated builds that can be pushed to production at the click of a button.

Taken together, automating the CI/CD pipeline increases the velocity of development and enables developers to focus on writing code, rather than managing their toolchain. Developers can see their code in production more quickly and can focus on solving business problems.

As a “bonus,” developers who work on projects where errors are caught early in the development process automatically and who don’t have to worry about time-consuming manual tasks are happier and are easier to attract and retain. According to a recent IDC developer study, “using automation and more streamlined processes allows developers to focus more of their time writing code. This improves overall developer productivity and morale.” (Source: IDC FutureScape: Worldwide Developer and DevOps 2020 Predictions)

Establishing a Single Source of Truth

Inherent to a high-performing CI/CD pipeline is the SCM that comes with it. This was clearly top of mind for the 57% of survey responses who indicated that “instituting good source code management is critical to increasing speed to delivery.” Indeed, while empowering developers to work independently is a good thing, forking different branches off of the master branch carries risks. Besides the aforementioned issue of merge conflicts there is the simple headache of managing an ever growing number of software versions.

A good SCM tool like GitLab further accelerates an organization’s SDLC by helping to manage this complexity. Branches can easily be reverted to previous versions if issues are uncovered and working code can be reused in other contexts. SCM tools also typically offer a full version history so stakeholders can easily view and comment on previous changes. Workflows can be configured so that MRs can be reviewed as needed and the correct persona is notified when code is ready to be pushed to production. This is critical as survey respondents in the public sector indicated that deploying to production (along with testing and security) was where their development teams encountered the most delays.

Look forward to further editions to this series as we delve deeper into the DevSecOps methodologies of federal agencies. In the meantime, if you’re a developer working at a federal agency, we’d love to hear from you! Let us know if you’ve faced the pain of merge hell or version control!