What Is CI/CD and How Does It Work?

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

Manage Software Risk | Manage software risk at the speed your business demands.

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

API Security Testing | Manage software risks with a holistic API security testing program.
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source Security & License Management | Effective solutions for ensuring open source security and license compliance
Malicious Code Detection | What hidden threats are lurking under the surface of your code?
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

AppSec Program Strategy News | Get insights from Synopsys cybersecurity experts on building a security program.
DAST News | Expert insight on dynamic analysis (DAST).
IAST News | Expert insight on interactive analysis (IAST).
SAST News | Expert insight on static analysis (SAST).
Open Source and Software Supply Chain News | Discover open source and software supply chain risk management tips and best practices.
Fuzz Testing News | Learn more about fuzz testing, including instrumentation techniques and best practices.
Security and Developer Training News | Articles on security and developer training to help strengthen your team’s knowledge around security
Software Composition Analysis News | Expert insight on software composition analysis (SCA).
Security Risk News | Read the latest information on how to manage application security risks.
Security Research News | Get an analysis of today’s application security news and research.

Case Studies | Application security customer stories
eBooks | Browse the latest ebooks on software security trends and best practices
Glossary | Glossary of Application Security, EDA & Semiconductor IP terms
Reports | Browse the latest application security reports from Synopsys and industry-leading analysts.
Webinars | Browse the latest webinars on application security solutions, trends, and strategies.
White Papers | Access the latest white papers for technical knowledge on application security solutions.

Overview | Learn more about the Synopsys Cybersecurity Research Center.
Research | Access the latest first-party research and analysis from the Synopsys Cybersecurity Research Center.

Press Releases | Browse our most recent news releases.

Table of Contents

Why is CI/CD important?
What is the difference between CI and CD?
How does CI/CD relate to DevOps?
What AppSec tools are required for CI/CD pipelines?
What tools and services can help with your DevSecOps?
What are the benefits of CI/CD?

Definition

CI and CD stand for continuous integration and continuous delivery/continuous deployment. In very simple terms, CI is a modern software development practice in which incremental code changes are made frequently and reliably. Automated build-and-test steps triggered by CI ensure that code changes being merged into the repository are reliable. The code is then delivered quickly and seamlessly as a part of the CD process. In the software world, the CI/CD pipeline refers to the automation that enables incremental code changes from developers’ desktops to be delivered quickly and reliably to production.

Why is CI/CD important?

CI/CD allows organizations to ship software quickly and efficiently. CI/CD facilitates an effective process for getting products to market faster than ever before, continuously delivering code into production, and ensuring an ongoing flow of new features and bug fixes via the most efficient delivery method.

Get the State of DevSecOps

Learn about the tools and strategies used to build secure software

Read the report

What is the difference between CI and CD?

Continuous integration (CI) is practice that involves developers making small changes and checks to their code. Due to the scale of requirements and the number of steps involved, this process is automated to ensure that teams can build, test, and package their applications in a reliable and repeatable way. CI helps streamline code changes, thereby increasing time for developers to make changes and contribute to improved software.

Continuous delivery (CD) is the automated delivery of completed code to environments like testing and development. CD provides an automated and consistent way for code to be delivered to these environments.

Continuous deployment is the next step of continuous delivery. Every change that passes the automated tests is automatically placed in production, resulting in many production deployments.

Continuous deployment should be the goal of most companies that are not constrained by regulatory or other requirements.

In short, CI is a set of practices performed as developers are writing code, and CD is a set of practices performed after the code is completed.

How does CI/CD relate to DevOps?

DevOps is a set of practices and tools designed to increase an organization’s ability to deliver applications and services faster than traditional software development processes. The increased speed of DevOps helps an organization serve its customers more successfully and be more competitive in the market. In a DevOps environment, successful organizations “bake security in” to all phases of the development life cycle, a practice called DevSecOps.

The key practice of DevSecOps is integrating security into all DevOps workflows. By conducting security activities early and consistently throughout the software development life cycle (SDLC), organizations can ensure that they catch vulnerabilities as early as possible, and are better able to make informed decisions about risk and mitigation. In more traditional security practices, security is not addressed until the production stage, which is no longer compatible with the faster and more agile DevOps approach. Today, security tools must fit seamlessly into the developer workflow and the CI/CD pipeline in order to keep pace with DevOps and not slow development velocity.

The CI/CD pipeline is part of the broader DevOps/DevSecOps framework. In order to successfully implement and run a CI/CD pipeline, organizations need tools to prevent points of friction that slow down integration and delivery. Teams require an integrated toolchain of technologies to facilitate collaborative and unimpeded development efforts.

What AppSec tools are required for CI/CD pipelines?

One of the largest challenges faced by development teams using a CI/CD pipeline is adequately addressing security. It is critical that teams build in security without slowing down their integration and delivery cycles. Moving security testing to earlier in the life cycle is one of the most important steps to achieving this goal. This is especially true for DevSecOps organizations that rely on automated security testing to keep up with the speed of delivery.

Implementing the right tools at the right time reduces overall DevSecOps friction, increases release velocity, and improves quality and efficiency.

The Synopsys’ portfolio of tools and services can help with your DevSecOps Effort

Synopsys CI/CD MAP services provide consultation support to help you develop a maturity action plan (MAP) according to the state of your organization’s DevSecOps readiness.

Synopsys’ comprehensive set of application security testing (AST) tools help you test for and remediate security vulnerabilities in your CI/CD pipeline.

Coverity® SAST: Coverity integrates seamlessly into the developer workflow and overall CI/CD pipeline. The Code Sight™ IDE plugin enables Coverity to find critical vulnerabilities and quality defects on the developer’s desktop while code is being written. By integrating Coverity into your CI/CD pipeline and leveraging Coverity’s contextual remediation advice, developers can find and fix vulnerabilities early in the SDLC.
Black Duck® SCA: Black Duck’s automated policy management allows you to easily integrate and automate open source governance into your DevSecOps pipeline. Developers can identify high-risk components, or easily find components that violate policy while coding. Automated scanning enables automated alerts or build-halts, based on policy violations, all while using CI tools like Jenkins. Security and operations teams can inspect apps and containers before they are deployed.
WhiteHat Dynamic™: Continuous and on-demand scanning to automatically check for vulnerabilities as your web applications evolve.
Seeker® IAST: Built for CI/CD and DevOps, Seeker is easy to deploy and scale in your CI/CD development workflows. Native integrations, web APIs, and plugins provide seamless integration with the tools you use for on-premises, cloud-based, microservices-based, and container-based development.

Built-in contextual eLearning helps supplement your organization-wide training efforts. You can educate and grow the right mix of dev and security champions for your DevSecOps initiatives. Synopsys portfolio integrations allow eLearning to recommend specific lessons based on issues identified by Code Sight, Coverity, and Seeker.

What are the benefits of CI/CD?

Automated testing enables continuous delivery, which ensures software quality and security and increases the profitability of code in production.
CI/CD pipelines enable a much shorter time to market for new product features, creating happier customers and lowering strain on development.
The great increase in overall speed of delivery enabled by CI/CD pipelines improves an organization’s competitive edge.
Automation frees team members to focus on what they do best, yielding the best end products.
Organizations with a successful CI/CD pipeline can attract great talent. By moving away from traditional waterfall methods, engineers and developers are no longer bogged down with repetitive activities that are often highly dependent on the completion of other tasks.