DevOps & CI/CD#
Reference of CI/CD platforms, build / artifact / config- management tools, IaC, and the secrets-management + observability stack that surrounds them. The categories below follow the typical “build → release → run → observe” pipeline.
For containers and Kubernetes-native deploys, see Container Ecosystem. For databases, see Database Systems. For source-code platforms, the big three (GitHub, GitLab, Bitbucket) are noted in the SCM section.
Source control / SCM#
Platform |
Vendor |
Notes |
|---|---|---|
GitHub |
Microsoft |
The de-facto SCM; Actions for CI/CD; Codespaces; Copilot. |
GitLab |
GitLab Inc. |
Self-host or SaaS; built-in CI/CD; broadest DevSecOps story. |
Bitbucket |
Atlassian |
Pipelines integrated. |
Azure DevOps |
Microsoft |
Repos + Pipelines + Boards + Artifacts. |
AWS CodeCommit |
AWS |
Git on AWS (deprecated for new accounts since Sep 2024). |
Gitea / Forgejo |
Community |
Self-hosted GitHub-alike. |
Gogs |
Community |
Lighter Go-based. |
Sourcehut |
Drew DeVault |
Minimalist; CLI-friendly; mailing-list workflow. |
Codeberg |
Codeberg |
Forgejo-based community. |
CI / CD platforms#
Platform |
Vendor |
Notes |
|---|---|---|
GitHub Actions |
GitHub |
YAML in repo; runners managed or self-hosted; free public. |
GitLab CI/CD |
GitLab |
YAML; tightly integrated; runners. |
Jenkins |
CDF |
OSS; plugin ecosystem; long-running mainstream choice. |
Jenkins X |
CDF |
K8s-native opinionated Jenkins. |
CircleCI |
CircleCI |
Cloud-only mostly; orbs. |
Travis CI |
Travis |
First widely-known SaaS CI; declined post-2020. |
Buildkite |
Buildkite |
Distributed agents on user infra; SaaS control plane. |
Drone |
Harness |
Container-native CI; OSS + commercial. |
Tekton |
CDF |
K8s-native pipeline primitives; underlies many platforms. |
Concourse |
Pivotal |
Pipeline-as-code; CF-origin. |
Argo Workflows |
CNCF |
K8s-native workflows. |
TeamCity |
JetBrains |
Commercial; popular in JVM shops. |
Bamboo |
Atlassian |
Commercial; tied to Bitbucket / Jira. |
Azure Pipelines |
Microsoft |
YAML pipelines on Azure DevOps. |
Google Cloud Build |
Managed; container-step model. |
|
AWS CodeBuild / CodeP ipeline |
AWS |
Managed. |
Spacelift |
Spacelift |
IaC-focused CI. |
Atlantis |
Runatlantis |
Terraform automation via PR workflow. |
Buildbot |
Buildbot |
Old-guard Python. |
Werf |
Flant |
Build + deploy combined. |
Earthly |
Earthly |
Earthfile-based. |
Build automation / package#
Tool |
Org |
Notes |
|---|---|---|
Make / GNU Make |
FSF |
Universal C-derived build tool. |
Bazel |
Hermetic + reproducible; multi-language. |
|
Buck2 |
Meta |
Bazel-derived; Rust. |
Pants |
Pants Build |
Python + JVM + Go monorepo build. |
CMake |
Kitware |
C/C++ meta-build. |
Ninja |
Fast minimal builder; CMake target. |
|
Gradle |
Gradle |
JVM-first; Kotlin DSL. |
Maven |
Apache |
JVM; XML POM. |
sbt |
Lightbend |
Scala build. |
npm / pnpm / yarn |
OpenJS / pnpm |
/ Y arn Node.js package managers. |
Cargo |
Rust |
Rust build + package. |
Go modules |
Go |
Go’s built-in. |
Poetry / uv / pip-too ls |
Python |
Python deps. |
nix / flakes |
NixOS |
Reproducible builds + envs. |
direnv |
direnv |
Per-dir env loading. |
Infrastructure as Code (IaC)#
Tool |
Org |
Notes |
|---|---|---|
Terraform |
HashiCorp |
BSL since v1.6 (Aug 2023); the most-adopted IaC. |
OpenTofu |
Linux Foundation |
Terraform fork; Apache 2.0. |
Pulumi |
Pulumi |
IaC in TS / Python / Go / .NET / Java. |
AWS CDK |
AWS |
Cloud Dev Kit; CloudFormation-compiling TS / Python / Java / Go. |
CloudFormation |
AWS |
Native AWS YAML / JSON. |
Bicep |
Microsoft |
Azure Resource Manager DSL. |
Azure ARM templates |
Microsoft |
Native Azure JSON. |
Google Deployment Mg r |
Native GCP (sunset planned). |
|
Crossplane |
CNCF |
K8s-API-based cloud resource management. |
Ansible |
Red Hat |
Agentless config; YAML. |
Chef |
Progress |
Ruby DSL. |
Puppet |
Perforce |
DSL; declarative. |
Salt |
VMware |
Python; agent + master. |
CFEngine |
CFEngine |
Original config-mgmt; declarative. |
Pyinfra |
OSS |
Python config + cmd-runner. |
Artifact registries#
Registry |
Vendor |
Notes |
|---|---|---|
Artifactory |
JFrog |
Universal (Maven / npm / Docker / etc.). |
Nexus Repository |
Sonatype |
Universal. |
GitHub Packages |
GitHub |
Per-repo packages. |
GitLab Package Reg. |
GitLab |
Per-project. |
PyPI |
PSF |
Python public. |
Maven Central |
Sonatype |
Java public. |
npm Registry |
OpenJS |
Node public. |
RubyGems |
Ruby community |
Ruby public. |
crates.io |
Rust |
Rust public. |
Go modules proxy |
Go public + modproxy. |
|
Helm Chart Repo |
CNCF |
Helm chart hosting. |
ChartMuseum |
Helm community |
Self-hosted Helm chart repo. |
Cargo / Verdaccio |
Cargo / Verdaccio |
Self-hosted alternatives. |
GitOps / deployment#
Tool |
Org |
Notes |
|---|---|---|
ArgoCD |
CNCF |
Pull-based K8s GitOps. |
Flux v2 |
CNCF |
Pull-based GitOps. |
Spinnaker |
CDF |
Multi-cloud CD; Netflix-derived. |
Harness |
Harness |
Commercial CD platform. |
Octopus Deploy |
Octopus |
Windows-friendly CD. |
Helm |
CNCF |
Kubernetes package manager. |
Kustomize |
K8s |
Built into kubectl. |
Carvel (kapp / ytt / |
VMware |
K8s deploy toolkit. |
kbld / imgpkg / vendi |
- |
|
Werf |
Flant |
Build + deploy. |
Secrets management#
Tool |
Org |
Notes |
|---|---|---|
HashiCorp Vault |
HashiCorp |
BSL since 2023; broadly deployed. |
OpenBao |
Linux Foundation |
Vault fork; Apache 2.0. |
AWS Secrets Manager |
AWS |
Managed. |
AWS SSM Parameter Store |
AWS |
Managed. |
Azure Key Vault |
Microsoft |
Managed. |
Google Secret Manager |
GCP |
Managed. |
Doppler |
Doppler |
SaaS multi-env secret sync. |
Infisical |
Infisical |
OSS / SaaS; Doppler-alternative. |
1Password Secrets Au tomation |
1Password |
Secrets in 1Password vault. |
SOPS |
Mozilla |
GitOps-friendly age / GPG / KMS-encrypted YAML. |
git-crypt |
git-crypt |
Encrypted files in Git. |
Berglas |
Cloud KMS / GCS secrets. |
|
Sealed Secrets |
Bitnami / VMware |
K8s Sealed Secrets controller (kubeseal). |
External Secrets Operator |
External Secrets |
K8s sync from cloud secret stores. |
Code quality / scanning#
Tool |
Org |
Notes |
|---|---|---|
SonarQube |
SonarSource |
Code quality + security; SAST. |
Semgrep |
Semgrep |
Open-source pattern-based SAST. |
CodeQL |
GitHub |
SAST; the QL query language. |
Snyk |
Snyk |
SCA + IaC + container. |
Dependabot |
GitHub |
Auto dep updates + advisories. |
Renovate |
Mend |
Multi-platform dep update bot. |
Trivy |
Aqua |
Multi-target scanner (containers / IaC / SBOM). |
tfsec |
Aqua |
Terraform security; merging into Trivy. |
checkov |
Bridgecrew |
IaC scanning. |
GitGuardian |
GitGuardian |
Secrets scanning. |
TruffleHog |
Truffle Sec |
Secrets scanning OSS. |
Gitleaks |
Zachleat / Zricks |
Pre-commit secrets scanning. |
ESLint / Prettier |
Community |
JS/TS lint + format. |
Ruff / Black / isort |
Charlie M / PS |
F Python lint + format. |
Clippy / rustfmt |
Rust |
Rust lint + format. |
golangci-lint |
Community |
Go lint aggregator. |
Observability (briefly)#
Stack |
Org |
Notes |
|---|---|---|
Prometheus + Grafana |
CNCF / Grafana |
Metrics + dashboards (the standard). |
Loki |
Grafana Labs |
Logs. |
Tempo / Jaeger / Zip kin |
Grafana / C |
NCF Traces. |
OpenTelemetry |
CNCF |
Vendor-neutral telemetry SDK + collector. |
ELK / Elastic Stack |
Elastic |
Elasticsearch + Logstash + Kibana + Beats. |
Splunk |
Splunk |
Commercial leader. |
Datadog |
Datadog |
SaaS APM + logs + metrics + RUM. |
New Relic |
New Relic |
SaaS observability. |
Honeycomb |
Honeycomb |
High-cardinality SaaS APM. |
Lightstep |
ServiceNow |
Distributed tracing. |
Sentry |
Sentry |
Error tracking. |
Operator notes#
License drift: Terraform (BSL since v1.6) → OpenTofu; Vault (BSL) → OpenBao; Redis (SSPL) → Valkey. Plan migrations before the next renewal.
Self-hosted runners are the highest-impact security control: GitHub Actions / GitLab CI default to ephemeral cloud runners but secrets, network reach, and lateral movement risk all increase with self-hosted (esp. shared).
Pipeline-as-code (YAML / Jenkinsfile) lives in the repo and inherits its branch protection; ungated CI is a common supply-chain entry.
Dependabot / Renovate alone don’t fix transitive vulnerabilities; pair with SCA + lockfile pinning.
GitOps removes long-lived deploy creds from CI but adds a write path to a cluster from a Git repo; protect that repo accordingly.
Secrets in CI, never echo, never log; use OIDC federation (GitHub OIDC -> AWS / Azure / GCP / Vault) to avoid long-lived static creds.
SBOM + signing (Cosign + SLSA + provenance) is now required for US Federal supply-chain (EO 14028, M-22-18).