►
From YouTube: CDF SIG Best Practices - Apr 4, 2022
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
B
A
Yeah
I've
been,
I
had
spring
break.
Yes,
I've
been
a
bit
out
of
the
loop
and
I
know
tara
was
lost
in
perth
season
yeah
last
time
I
checked
terry
had
some
great
pull
requests
and
we
were
mostly
focused
on
getting
content.
A
I'm
writing
up
something
on
the
security
side,
so
I
think
we're
kind
of
good
in
terms
of
you've,
given
us
a
really
good
structure
to
work
with.
Okay,
are
you
seeing
the
prs
come
in?
I
think
I.
B
C
Okay,
yeah,
we
didn't
so
I
okay
back
up,
so
I've
started
cutting
over
more
of
the
content
we
ran
into.
C
I
don't
call
it
a
challenge,
a
confusion,
whoever
had-
and
I
don't
remember
who
it
was
had
organized
the
continuous
delivery
section.
There's
kind
of
oh
tracy
is
still
there
yeah.
Let
me
know:
oh
there,
okay
nicola
dropped
and
you
froze.
Are
you
here?
Okay,
my
my
connection
is
being
all
weird
okay,
so
whoever
had
done
the
continuous
delivery
section
there
was
there's
some
weirdness
there.
C
C
I
guess
the
three
things
that
we're
looking
at
are
completing
the
the
transition
and
edits
of
the
of
the
con,
the
content
we
have
into
the
site-
and
you
know
again,
nicola
no
no
expectations.
But
if
you
know
you
want
to
go
in
there,
particularly
this
one
section
and
just
offer
opinion
professional
opinion,
I
will
not
say
no,
because
it's
the
more
we
started
looking
at.
It's
like
this
needs
to
be
rewritten.
So
there's
that
the
second
thing
is
I
don't.
C
I
haven't
had
a
chance
to
talk
to
carrie
yet,
but
we
need
to
figure
out
getting
it
live
yep
because
three,
we
also
want
to
start
soliciting
the
vendor
content
and
figuring
out
the
whole
community
contributions
in
like
real
world
scenarios
and
stuff
like
that
and
the
timeline
is
fast
because
we
were
talking
about
creating
birds
of
a
feather
or
similar
virtual
for
cdcon,
and
then
we
were
trying
to
figure
out
you
know.
Could
we
turn
that
into
like
a
workshop
or
some
other
form
of
useful
gathering?
C
You're
not
wrong,
so
in
the
absence
of
any
changes
I
have
to
ping
kara,
and
this
reminds
me
to
do
it
today
and
then
I
was
just
going
to
continue
to
kind
of
grab
time
here
and
there
to
finish
the
migrations,
but
maybe
a
question
for
something
like
the
like
the
salsa
framework.
I
I
haven't
actually
gone
and
looked
so
bad.
Are
there
good
examples?
C
I'm
thinking
this
whole
framework
just
because
we've
talked
about
it,
but
you
know
in
in
general.
Are
there
good
examples
for
for
how
to
incorporate
these
real
world
use
cases
primarily
around,
like
you
know,
recommendations
on
on
how
to
recruit
content
creators
from
companies
who
might
be
able
to
to
bring
knowledge
around
this
kind
of
stuff.
C
So
it's
just
more
like
okay,
here's
a
here's!
A
framework
around
this
idea
that
drive
is
an
industry
standard.
You
know
what
are
some
of
the
things
that,
as
a
community,
have
happened
to
try
and
build
that
momentum
and
build
the
engagement.
A
C
A
A
A
So
the
first
thing
is
just
trying
to
get
some
definitions
and
when
I
said
I'd
write
something
up
about
the
security
space
to
me
like
the
first
question
was:
is
it
software
supply
chain
security?
A
We
want
to
focus
on
because
we
are
focusing
mostly
on
the
delivery
side,
and
by
that
I
mean
ignoring
kind
of
best
practices
around
code
security
and
how
you
write
secure
code,
because
I
feel
that's
out
of
scope
like
we
don't
talk
in
this
document
about
designing
an
architecting
code,
so
we
can
equally
leave
out
that
section
of
security.
A
So
I've
gone
through
some
definitions
and
then
I
talked
about
kind
of
two
ways
to
think
about
it.
White
matters
is
a
bit
lighter
opening,
maybe
other
folks,
so
terry
could
pipe
in
I'm
sure
we
could
talk
a
lot
more.
There
key
stakeholders
a
little
there
and
then,
when
it
comes
to
best
practices
I
found.
I
was
very
quickly
getting
into
just
pulling
everything
in
about
salsa,
because.
A
Yeah
and
in
the
short
time
I've
been
looking
at
stuff,
that
seems
to
be
resonating
with
people
the
most
and
like
people
are
actively
using
it
in
their
road
maps.
So
I
thought,
like
so
many
different
things
to
it.
It
gives
it
such
a
nice
structure.
A
So
then
it
almost
got
into
okay,
there's
so
much
you
can
say
on
each
of
these
sections
and
different
tools
you
can
use.
How
do
we
go
about
like?
What
more
should
we
say
here?
Should
we
reference
the
salsa
website,
or
should
we
be
giving
talking
more
specific
case
studies,
and
I
think
I
can
help
with
that,
because
you're
starting
to
talk
to
folks
who
are
going
through
through
that
pain,.
B
D
B
B
B
If
you
ask
someone
what
is
that
it's
like
they'll
kind
of
make
guesses
about
it,
it
isn't
really
it's
it's
in
the
vocabulary
of
people
who
are
in
that
space,
but
it's
not
really
in
the
vocabulary
of
organizations
in
general
and
so
part
of
it
is
level
setting
and
coming
back
and
saying.
Well,
what
does
what
does
supply
chain
security
mean
in
the
context
of
ci
cd?
What
does
it
mean
in
the
context?
What
does
it
mean?
B
You
know
versus
say
something
like
shift
left
right,
because
with
supply
chain
security,
it's
more
the
idea
that
you've
got
things
that
you
have
to
think
about
end
to
end.
You
have
to
think
about
third
parties,
so
it's
not
just
about
shifting
left.
It's
about
making
sure
you
understand
what
all
the
attack
factors
are.
B
So
a
lot
of
what
I'm
doing
in
the
planning
that
I'm
doing
now
for
sort
of
our
position
on
how
we're
going
to
talk
about
it
from
from
a
google
perspective
is
trying
to
provide
some
of
that
context
from
people
who
are
newer
to
the
space
or
want
to
understand.
Well,
how
does
this
relate
to
devsecops,
or
how
does
this
relate
to
the
icd,
and
then
you
can
get
into
okay?
B
So
now
that
you
understand
that
you
have
this
whole
end-to-end
story
here
is
a
framework
to
help
you
look
at
what
those
attack
factors
are
so
that
you
have
a
vocabulary
of
where
the
entry
points
are,
and
you
understand
where
they
are,
and
then
here
are
some
best
practices
to
help
you
mitigate
those
threats.
That's
that's
the
approach
that
I'm
kind
of
taking
with
the
stuff
we
have
now.
C
B
A
B
It's
an
overlapping
problem,
so
some
people
will
understand
devops.
Some
people
will
understand
ci
cd,
some
people
will
understand
devsecops,
but
those
terms
have
been
around
a
little
longer
instead
of
sort
of
contextualizing
contextualizing.
That
the
other
piece,
then,
is
what
has
been
new
in
the
past
year
with
salsa
and
so
on.
Is
these
emergence
of
frameworks
and
vocabulary
to
talk
about
these
things
because
from
from
so
little
I
know
about
something
like
devstock
ops?
It's
like!
Yes,
look
at
security.
Look
at
it!
You
know
across
your
old
chain,
but
like
what
does
that
mean?
B
Where
do
I
start?
What
things
am
I
looking
for,
and
so
these
frameworks,
like
salsa,
that
have
come
out
now,
nist
also
has
their.
I
think
a
software
stick,
your
software
delivery
framework.
B
So
that's
another
thing
where
it's
a
framework-
and
here
here
and
and
very
specifically,
looking
at
here-
are
things
in
the
software
security
space
that
you
should
be
thinking
about,
rather
than
just
take
your
devops
and
now
think
about
security,
but
not
knowing
where
to
start.
So
I
think
it's
providing
that
context
of
this
is
the
layer
that
we
have
on
top
to
help
you
really
in
a
structured
way,
based
on
best
practices
of
organizations.
Who've
been
thinking
about
these
things,
how
to
how
to
approach
that.
B
So
I
think,
even
on
the
cell
system,
they
talk
about
it,
it's
a
framework,
but
it's
also
kind
of
like
a
checklist,
and
it's
a
way
to
evaluate
like
what
your
maturity
is
now
and
how
you
can
incrementally
get
there
rather
than
going.
I
have
to
fix
all
these
things
and
I
don't
know
where
to
start
right.
A
And
then,
maybe
is
it
worth
adding
because,
like
you
mentioned
the
ssdf
and
I've
been
looking
at
that
a
lot
and
the
main
feedback
is
like
it's
a
very
complete
framework.
It
includes
more
than
supply
chain,
but
equally
high
level
that,
like
I've,
heard
feedback
from
people,
it's
practically
unimplementable
because
it
tries
not
to
be
opinionated
and
it
tries
to
cover
all
these
different
industries,
but
almost
as
a
result,
there's
so
much
homework
for
people
to
do
to
go
figure
things
out
that
salsa
and.
A
Yeah
and
it's
good
because
it
gives
you
the
whole
problem
space
and
it
doesn't
shine
from
that.
But
then,
when
it
comes
to
the
practice
and
taking
steps
like,
I
think,
salsa
there
you
know
and
just
listening
to
what
other
people
are
telling
me
it's
much
more
focused.
It
allows
you
to
do
things
incrementally
and
it's
you
know
it.
It
is
opinionated
in
a
way
that
nist
has
stayed
away
from
being.
B
Yeah
so
again
I
haven't
gotten
all
of
the.
I
haven't
gotten
feedback
from
folks
yet,
but
the
way
that
I've
looked
at
it
based
on
on
what
I've
seen
out
of
salsa
and-
and
this
I
generally
agree,
my
thinking
is
that
you
can
use
both
dora
and
you
know
if
you're
it's
also
zero
and
you
don't
even
have
build
automation
and
source
control.
Then
you
kind
of
start
there.
So
that's
where
we
guide
people
first
and
then
assuming
you
have
some
like
some
foundational
software
practices
and
software
delivery
practices
in
place.
B
Then
you
look
at
salsa
and
that
helps
you
to
do
an
assessment
once
you
have
that
and
it's
then
okay
well
for
my
own
organization,
I
need
to
like
come
up
with
a
policy
and
what
should
go
into
that
policy.
So
salsa
can
help
you
with
some
of
that,
but
I
feel
like
nist.
Being
this
really
huge
exhaustive
thing
can
then
help
you
with
okay.
B
Here
are
some
things
that
we
can
look
at,
and
maybe
there
are
some
things
that
we
we
don't
prioritize
right
now,
but
it's
pretty
exhaustive,
and
so
it
can
help.
You
just
think
about
what
considerations
you
need
to
implement
and
maybe
things
that
you
didn't
even
think
of
right.
B
A
A
Can
you
say
that
one
more
time,
sorry,
I
think,
do
you
think
it
would
be
helpful
to
do
a
lit
like
add
a
section
in
on
the
nest
ssdf
giving
a
high
level
like
here's
a
formula
this
is
its
focus.
Areas
appears
its
strengths
and
weaknesses,
kind
of
thing.
C
I
think
it
would
be
very
useful
to
to
basically
toc
some
of
the
more
relevant
frameworks.
D
C
A
B
B
Yeah
yeah,
so
I
don't
know
you
know
we
could
probably
do
a
version
of
that.
B
So
so
we
yeah,
so
we
have
mist,
we
have
salsa,
I
think
also
just
there
are
other
resources
like
like
what
is
it
so
it's
depth.dev
has
a
bunch
of
things
around
like
you,
can
look
at
open
source
software
and
sort
of
whether
it's
it's
been
deemed
like
it
looks
safe.
There
are
probably
other
resources
we
can
point
to
yeah.
So,
as
I
said,
I
I
I'm
working
on
on
some
stuff
from
google
perspective
on
salsa.
B
I
don't
know
what
the
timeline
is
for
for
the
conference
that
we're
aiming
for
here,
but
I'm
kind
of
I'm
aiming
to
have
things
ready
for
like
early
may
so
so
I
I
there
will
be
some
content
that
you
can
look
at
that.
I
will
probably
be
putting
out
there.
C
Okay,
that
would
be
great.
The
the
first
deadline,
I
think,
is
the
11th
for
cdcon,
okay,
but
that's
just
getting
the
proposal
in
and,
like
I
said
it's
it's,
this
is
we're
hoping
to
do
a
repeat
where
we
kind
of
a
working
session
with
interested
parties,
so
the
the
deadline
around
that
would
be
maybe
having
an
initial
example
or
two,
and
I
think,
justin
you
you
had
or
I've
slept
since
then
I
think
it
was
just.
C
It
might
have
been
someone
else
who
said
that
they
they
they
would
have
a
their
company
example
that
they
could
get
prepared.
So
if
we
had
a
couple
that
would
get
published,
then
we
have
a
baseline
and
then
there
could
be
a
discussion
around.
C
B
A
And
can
I
ask
for
the
case
study?
That's
a
general
one.
It's
not
specific
to
security,
it's
more
continuous
delivery
and
devops
is
that
right.
B
So
I
I
I
have
some
content
that
I'm
working
on
that's
specific
to
supply
chain
security.
We
do
have
some
stuff
around
cd
that
is
already
published.
I
could
probably
talk
to
the
editors
and
just
find
out
like.
B
B
C
B
C
C
That
would
be
kind
of
cool
actually
to
see
if
we
could
add
more
visibility
to
depths.dev,
because
that's
a
stupendous
project-
and
I
know
it
was
between
y'all
and
the
wall.
It
was
slightly
controversial
inside
google,
but
I
I
think
most
of
us
think
it
was
a
lovely
thing
and
is
a
lovely
thing
and
we
should
try
and
talk
it
up
if
you're
not
familiar.
It's
the
guy
who
invented
go
originally
went
off
and
invented
this.
C
C
Okay,
all
right
so
current
action
items
just
to
kind
of
let's
see.
C
So
finish,
edits,
edits
and
review
of
current
content.
I
think
in
my
last
webinar
I
think
we
just
pushed
it
through
hang
on
best
practices
site.
There
are
no
active,
pull
requests.
Okay,
so
the
latest
round
of
content
is
published
or
is
I'm
sorry
is
committed
as
a
reminder
that
link
is
here
terry
and
I
had
a
pretty
cool
working
session
fun
with
hugo.
C
I
wasn't
able
to
get
a
container-based
system
working
on
my
google
laptop
because
corp,
but
just
running
the
hugo
server
directly
seemed
to
work
well
and
trying
to
do
real
work
on
a
windows
machine.
My
gaming
machine
over
here
I
was
just
like
god-
damn
it
so
I'm
finally
going
to
break
down
and
get
a
mac
mini.
So
I
have
a
machine
that
I
like
developing
on,
that
is
not
controlled
by
google
corporate
overlords.
He.
B
C
So
yeah
the
whole
change.
I
mean
they're
within
their
rights
to
do
whatever
they
want,
but
that
whole
change
around
the
docker
stuff
was
like
yeah,
because
if
you
work
at
google
you're
screwed
because
google's
not
gonna
pay
attention
to
the
small
number
of
people
we're
like,
can
we
please
get
the
licensing?
So
we
can
run
dr
desktop
anyway.
C
E
I
have
two
action
items
that
I
know
of
one
write
up
a
case:
study
of
for
ebay's
pipeline
shape,
which
is,
I
think,
the
thing
that
you're
talking
about
oops.
I.
C
I
was
pointing
you
out
my
fork,
which,
while
I'm
sure
it
is
deeply
interesting
to
you
all,
is
not
actually
the
useful
one.
There
we
go.
Okay,
you
have
a
and
that
pull
request
is
still
live
crap.
Somebody
want
to
look
at
that.
Give
me
a
bless.
Yes,
okay,
thank
you
all
right.
D
Apologies,
I'm
very
late
fired.
C
Hello
carrie
so
does
so
you're
going
to
create
a
pr
justin.
E
Yes,
I'll
create
a
pr
for
what
ebay
is
I'll,
probably
do
one
for
what
ebay's
current
pipelines
look
like
and
then
what
we're
a
directional
pipeline
that
we're
heading
towards.
E
A
Oh,
I
think
that
was
a
like.
How
do
you
assess
where
you
are
in
best
practices
across
the
board?
So
like?
Are
you
using
version
control?
Yes,
no
kind
of
thing,
but
I
recall
you
had
had
an
idea
around
doing
an
assessment
tool
and
I
really
liked
that
idea
but
ended
up
focusing
on
the
security
stuff
first,
so
we
can
delete
it.
Can
I.
E
Should
the
output
of
this
work
be
to
create
a
pull
request
into
the
best
practices
repository?
Yes,.
C
C
Okay,
no
hang
on
that's
different.
This
one
there
we
go
learn,
assess
yeah,
it's
kind
of
late.
Okay.
C
So
can
you
see
that
can
you
here,
let
me
drop
the
link
in,
for
you
justin
make
sure
that
you
have
access
to
this
thing
to
the
netlify.
I
don't
remember
if
you
got
an
account,
if
not
either.
Okay,
if
that
link
works
for
you
and
you're
logged
into
github
you're
good.
If
not,
we
should
get
you
access.
C
C
Okay,
but
I
also
have
a
tara
to
do
same
for
tipton.
I
was
going
to
go
talk
to
the
techcon
writer
javi8no.
I
forget,
I
forget
his
name,
but
I
have
it.
I
have
it
written
down.
C
Okay,
though
I
may
hold
off
on
that
one.
If
we're
gonna
have
golden
path,
go
up
to
make
sure
that
we
don't
overload
the
google
so
okay
and
then
tracy
for
sorry
circling
back,
were
you
gonna?
Did
you
wanna
speak
to
six
store
as
a
as
a
possible
use
case.
A
Yeah,
so
what
I'm
thinking
for
that
document
I'll
have
another
password
I'll
put
down
the
frameworks
and
I'll
talk
about
like
pros
and
cons
and
then
link
to
the
site,
so
people
can
go,
find
the
information
there
and
then
start
highlighting
specific
solutions
and
six
stories,
the
one
around
provenance
and
code
signing.
C
At
some
point,
whatever
happened
with
the
I
know
I
asked
this
before,
and
you
probably
answered-
and
I
can't
remember
the
senility
it
burns
the
whole
s
bomb
thing
that
k
williams
was
driving.
Did
that
did
that
go
beyond
where
did
that
end
up?
Because
even
if
it's
not
cbf,
they
did
their
own
foundation
having
the
bill
of
materials
discussion,
the
broader
bill
of
materials.
Discussion,
I
think,
is
a
good
one.
A
Yeah
so
the
eventually
well
there's
sort
of
two
organizations
that
split
between,
but
I
think
a
lot
is
happening
in
the
open,
ssf
and
most
s-bomb
stuff
is
either
like
spd-x
or
cyclone.
So
I
can
put
a
section
in
there.
Actually
there's
a
article,
a
colleague
a
chain
guard
wrote
it's
a
kind
of
overview
of
s-bombs.
I
could
go,
take
that
and
refresh
it
and
see
how
we
could
fit
it
in.
In
a
nice
s-bomb
section,
the
state
of
response.
E
C
It's
one
of
those
things
that,
if
you
can
get
it
set
up,
you
know
it's
really
helpful
for,
for
you
know,
being
audited.
C
And
in
a
cloud
based
space,
where
you
have
lots
of
ephemeral
things
frankly,
a
much
better
mechanism,
and
actually
speaking
of
that
compliance,
I
think,
is
something
that
we
probably
would
want
to
speak
to
more.
I
know
we've
talked
about
it,
yep.
A
I
can
do
s
bombs
and
I'll
take
stuff
from
that
blog
post
and
I
know,
there's
been
a
few
things
developed
since
then,
like
a
number
of
tools
now
will
auto
generate
us
bombs.
So
I
can
add
that
in
compliance,
if
it's
all
that
kind
of
criberno
and
opa,
I'm
not
up
to
speed
on
that,
so
I'm
staying
away
for
now.
C
Okay,
would
we
want
to
have
we
have
security,
and
do
we
want
to
bring
compliance
out
as
at
its
own
level
or
maybe
have
it
be
a
easily
identifiable,
viable
subcategory
because
they're
not
necessarily
the
same
yeah
they're
important
in
different
ways.
C
C
F
C
So
I'm
wondering
oh
actually,
let's
talk
about
this
pr,
really
quick,
because
now
I'm
remembering
how
this
all
went
down
so
that
I'm
thinking
terry,
maybe
we
just
the
the
one
question-
was
the
continuous
deployment
versus
delivery
or
yeah.
I'm
thinking
we
land
this
and
then
start
a
new
edit
on
that,
so
that
the
content
since
we're
not
live
yet
because
we
were
talking
about.
D
But
it's
it's
just
a
simple
blanket
replace
on
the
on
you.
C
D
Yeah,
I
think
we
must
have
must
have
written
that
before
we
got
the
agreed
definitions
of
of
all
the
terms.
I
think.
A
C
But
then
we
have
the
argument
about:
oh
that's
where
it
all
ended
up
and
the
argument
of
deployment
is
too
specific
because
it
was
included.
The
included
endpoint.
A
C
I've
sub
since
then,
and
I
have
a
completely
new
role
at
work
which
has
consumed
me.
So
I'm
had
hoped
to
finish
this
two
weeks
ago
and
completely.
C
So
at
your
at
your
convenience
and
ability
nikola,
let
me
know
about
golden
path
discussions
I
will
try
and
I
think
I
could
probably
spend
some
time
this
afternoon,
cleaning
up
that
pr
and
get
it
landed
and
then
tracy.
You
will
keep
working
on
your
thing
and
what
were
we
saying
about
terry,
as
was
we're
going
to
ask
him
to
review?
Was
that
what
we
were
going
to
do?
A
Terry
any
additional
input,
let's
share
the
best
practices
for
software
supply,
chain
security
and
if
you
could
take
a
look
and
I've
got
some
great
feedback
from
folks
here,
but
yeah
appreciate
any
input
you
might
have
before.
I
do
a
second
pass:
okay,
okay
links
in
the
notes
and
yeah,
particularly.
I
had
a
wyatt
matches
section,
which
was
very
light,
and
I
felt
you
might
have
some
strong
input
there.
C
Okay,
before
you
joined
terry,
we
were
talking
about
we
you
and
I
had
started
talking
last
week.
You
know:
do
we
think
we
can
pull
together
enough
stuff
to
in
time,
for
the
is
the
is
the
deadline,
the
11th
for
cd
con
for
a
buff?
C
I
got
sucked
into
a
week
work
of
working
on
something
for
tk,
which
I
could
not
when
your
boss
says
you
need
to
work
on
this
thing.
The
head
of
google
cloud
is
looking
at,
one
must
nod
and
say
yes,
so
I
got
completely
sidetracked.