DevOps & CI/CD#

Reference of CI/CD platforms, build / artifact / config- management tools, IaC, and the secrets-management + observability stack that surrounds them. The categories below follow the typical “build → release → run → observe” pipeline.

For containers and Kubernetes-native deploys, see Container Ecosystem. For databases, see Database Systems. For source-code platforms, the big three (GitHub, GitLab, Bitbucket) are noted in the SCM section.

Source control / SCM#

Platform

Vendor

Notes

GitHub

Microsoft

The de-facto SCM; Actions for CI/CD; Codespaces; Copilot.

GitLab

GitLab Inc.

Self-host or SaaS; built-in CI/CD; broadest DevSecOps story.

Bitbucket

Atlassian

Pipelines integrated.

Azure DevOps

Microsoft

Repos + Pipelines + Boards + Artifacts.

AWS CodeCommit

AWS

Git on AWS (deprecated for new accounts since Sep 2024).

Gitea / Forgejo

Community

Self-hosted GitHub-alike.

Gogs

Community

Lighter Go-based.

Sourcehut

Drew DeVault

Minimalist; CLI-friendly; mailing-list workflow.

Codeberg

Codeberg

Forgejo-based community.

CI / CD platforms#

Platform

Vendor

Notes

GitHub Actions

GitHub

YAML in repo; runners managed or self-hosted; free public.

GitLab CI/CD

GitLab

YAML; tightly integrated; runners.

Jenkins

CDF

OSS; plugin ecosystem; long-running mainstream choice.

Jenkins X

CDF

K8s-native opinionated Jenkins.

CircleCI

CircleCI

Cloud-only mostly; orbs.

Travis CI

Travis

First widely-known SaaS CI; declined post-2020.

Buildkite

Buildkite

Distributed agents on user infra; SaaS control plane.

Drone

Harness

Container-native CI; OSS + commercial.

Tekton

CDF

K8s-native pipeline primitives; underlies many platforms.

Concourse

Pivotal

Pipeline-as-code; CF-origin.

Argo Workflows

CNCF

K8s-native workflows.

TeamCity

JetBrains

Commercial; popular in JVM shops.

Bamboo

Atlassian

Commercial; tied to Bitbucket / Jira.

Azure Pipelines

Microsoft

YAML pipelines on Azure DevOps.

Google Cloud Build

Google

Managed; container-step model.

AWS CodeBuild / CodeP ipeline

AWS

Managed.

Spacelift

Spacelift

IaC-focused CI.

Atlantis

Runatlantis

Terraform automation via PR workflow.

Buildbot

Buildbot

Old-guard Python.

Werf

Flant

Build + deploy combined.

Earthly

Earthly

Earthfile-based.

Build automation / package#

Tool

Org

Notes

Make / GNU Make

FSF

Universal C-derived build tool.

Bazel

Google

Hermetic + reproducible; multi-language.

Buck2

Meta

Bazel-derived; Rust.

Pants

Pants Build

Python + JVM + Go monorepo build.

CMake

Kitware

C/C++ meta-build.

Ninja

Google

Fast minimal builder; CMake target.

Gradle

Gradle

JVM-first; Kotlin DSL.

Maven

Apache

JVM; XML POM.

sbt

Lightbend

Scala build.

npm / pnpm / yarn

OpenJS / pnpm

/ Y arn Node.js package managers.

Cargo

Rust

Rust build + package.

Go modules

Go

Go’s built-in.

Poetry / uv / pip-too ls

Python

Python deps.

nix / flakes

NixOS

Reproducible builds + envs.

direnv

direnv

Per-dir env loading.

Infrastructure as Code (IaC)#

Tool

Org

Notes

Terraform

HashiCorp

BSL since v1.6 (Aug 2023); the most-adopted IaC.

OpenTofu

Linux Foundation

Terraform fork; Apache 2.0.

Pulumi

Pulumi

IaC in TS / Python / Go / .NET / Java.

AWS CDK

AWS

Cloud Dev Kit; CloudFormation-compiling TS / Python / Java / Go.

CloudFormation

AWS

Native AWS YAML / JSON.

Bicep

Microsoft

Azure Resource Manager DSL.

Azure ARM templates

Microsoft

Native Azure JSON.

Google Deployment Mg r

Google

Native GCP (sunset planned).

Crossplane

CNCF

K8s-API-based cloud resource management.

Ansible

Red Hat

Agentless config; YAML.

Chef

Progress

Ruby DSL.

Puppet

Perforce

DSL; declarative.

Salt

VMware

Python; agent + master.

CFEngine

CFEngine

Original config-mgmt; declarative.

Pyinfra

OSS

Python config + cmd-runner.

Artifact registries#

Registry

Vendor

Notes

Artifactory

JFrog

Universal (Maven / npm / Docker / etc.).

Nexus Repository

Sonatype

Universal.

GitHub Packages

GitHub

Per-repo packages.

GitLab Package Reg.

GitLab

Per-project.

PyPI

PSF

Python public.

Maven Central

Sonatype

Java public.

npm Registry

OpenJS

Node public.

RubyGems

Ruby community

Ruby public.

crates.io

Rust

Rust public.

Go modules proxy

Google

Go public + modproxy.

Helm Chart Repo

CNCF

Helm chart hosting.

ChartMuseum

Helm community

Self-hosted Helm chart repo.

Cargo / Verdaccio

Cargo / Verdaccio

Self-hosted alternatives.

GitOps / deployment#

Tool

Org

Notes

ArgoCD

CNCF

Pull-based K8s GitOps.

Flux v2

CNCF

Pull-based GitOps.

Spinnaker

CDF

Multi-cloud CD; Netflix-derived.

Harness

Harness

Commercial CD platform.

Octopus Deploy

Octopus

Windows-friendly CD.

Helm

CNCF

Kubernetes package manager.

Kustomize

K8s

Built into kubectl.

Carvel (kapp / ytt /

VMware

K8s deploy toolkit.

kbld / imgpkg / vendi

-

Werf

Flant

Build + deploy.

Secrets management#

Tool

Org

Notes

HashiCorp Vault

HashiCorp

BSL since 2023; broadly deployed.

OpenBao

Linux Foundation

Vault fork; Apache 2.0.

AWS Secrets Manager

AWS

Managed.

AWS SSM Parameter Store

AWS

Managed.

Azure Key Vault

Microsoft

Managed.

Google Secret Manager

GCP

Managed.

Doppler

Doppler

SaaS multi-env secret sync.

Infisical

Infisical

OSS / SaaS; Doppler-alternative.

1Password Secrets Au tomation

1Password

Secrets in 1Password vault.

SOPS

Mozilla

GitOps-friendly age / GPG / KMS-encrypted YAML.

git-crypt

git-crypt

Encrypted files in Git.

Berglas

Google

Cloud KMS / GCS secrets.

Sealed Secrets

Bitnami / VMware

K8s Sealed Secrets controller (kubeseal).

External Secrets Operator

External Secrets

K8s sync from cloud secret stores.

Code quality / scanning#

Tool

Org

Notes

SonarQube

SonarSource

Code quality + security; SAST.

Semgrep

Semgrep

Open-source pattern-based SAST.

CodeQL

GitHub

SAST; the QL query language.

Snyk

Snyk

SCA + IaC + container.

Dependabot

GitHub

Auto dep updates + advisories.

Renovate

Mend

Multi-platform dep update bot.

Trivy

Aqua

Multi-target scanner (containers / IaC / SBOM).

tfsec

Aqua

Terraform security; merging into Trivy.

checkov

Bridgecrew

IaC scanning.

GitGuardian

GitGuardian

Secrets scanning.

TruffleHog

Truffle Sec

Secrets scanning OSS.

Gitleaks

Zachleat / Zricks

Pre-commit secrets scanning.

ESLint / Prettier

Community

JS/TS lint + format.

Ruff / Black / isort

Charlie M / PS

F Python lint + format.

Clippy / rustfmt

Rust

Rust lint + format.

golangci-lint

Community

Go lint aggregator.

Observability (briefly)#

Stack

Org

Notes

Prometheus + Grafana

CNCF / Grafana

Metrics + dashboards (the standard).

Loki

Grafana Labs

Logs.

Tempo / Jaeger / Zip kin

Grafana / C

NCF Traces.

OpenTelemetry

CNCF

Vendor-neutral telemetry SDK + collector.

ELK / Elastic Stack

Elastic

Elasticsearch + Logstash + Kibana + Beats.

Splunk

Splunk

Commercial leader.

Datadog

Datadog

SaaS APM + logs + metrics + RUM.

New Relic

New Relic

SaaS observability.

Honeycomb

Honeycomb

High-cardinality SaaS APM.

Lightstep

ServiceNow

Distributed tracing.

Sentry

Sentry

Error tracking.

Operator notes#

  • License drift: Terraform (BSL since v1.6) → OpenTofu; Vault (BSL) → OpenBao; Redis (SSPL) → Valkey. Plan migrations before the next renewal.

  • Self-hosted runners are the highest-impact security control: GitHub Actions / GitLab CI default to ephemeral cloud runners but secrets, network reach, and lateral movement risk all increase with self-hosted (esp. shared).

  • Pipeline-as-code (YAML / Jenkinsfile) lives in the repo and inherits its branch protection; ungated CI is a common supply-chain entry.

  • Dependabot / Renovate alone don’t fix transitive vulnerabilities; pair with SCA + lockfile pinning.

  • GitOps removes long-lived deploy creds from CI but adds a write path to a cluster from a Git repo; protect that repo accordingly.

  • Secrets in CI, never echo, never log; use OIDC federation (GitHub OIDC -> AWS / Azure / GCP / Vault) to avoid long-lived static creds.

  • SBOM + signing (Cosign + SLSA + provenance) is now required for US Federal supply-chain (EO 14028, M-22-18).

References#