[EN] CI/CD Pipelines in 2025 GitOps, IA et Zero-Trust in Action

Transcript

1. CI/CD Pipelines in 2025 → GitOps, IA et Zero-Trust in

   Action Hervé Leclerc CTO - Alter Way SymfonyCon 2025 Am sterdam

2. HERVÉ LECLERC CTO ALTER WAY A SMILE GROUP COMPANY

3. The World of Tomorrow, Today What does the future of

   software delivery hold for us • The CI/CD pipelines we know are evolving. Simple automation is no longer enough. • The 2025 pipeline is intelligent, inherently secure, and entirely driven by the GitOps philosophy. • This session explores a new generation pipeline for a containerized Symfony Applications. • Let's discover how AI, Zero-Trust, and GitOps are becoming a tangible and necessary reality !

4. The 4 Pillars of the 2025 Pipeline A robust foundation

   for software delivery GitOps - Git as the single source of truth. All infrastructure and deployments are declarative, versioned, and approved via Pull/Merge Requests. AI - AI is no longer a gadget. It analyzes, predicts, optimizes, and generates reports. It transforms the pipeline from an automation tool into an intelligent partner. Zero-Trust - "Never trust, always verify". Every step of the pipeline is secured, every artifact is scanned, and access is strictly controlled. Observability - More than just monitoring It's the ability to ask questions of our production systems. Logs, metrics, and traces are correlated for a deep understanding of application behavior.

5. Technologies Used for the 2025 Pipeline A collection of Open

   Source tools

6. Pipeline Overview A complete flow, from early security to continuous

   monitoring GitOps and AI Diven

7. Pipeline Gitlab View GitOps and AI Diven

8. Phase 1: Early Security (Shift-Left) Find vulnerabilities even before the

   first build • secrets-detection: Uses `gitleaks` to scan code for secrets (API keys, passwords) committed by mistake. • dependency-scanning: Uses `composer audit` to analyze PHP dependencies and identify known vulnerabilities (CVEs). YAML secrets-detection : stage : security-scan image : name: zricethezav/gitleaks:latest script : - gitleaks detect --verbose --redact --source=. dependency-scanning : stage : security-scan script : - composer audit --format=json > composer-audit.json

9. Gitleaks

10. Dependency scan

11. Phase 2: Automated Build & Tests Build and validate code

    quality. • build-application: Installs dependencies and prepares the Symfony application for testing. • unit-tests: Executes unit tests with PHPUnit, generates code coverage reports. • performance-tests: Simulates user load with `locust` to measure performance and detect regressions. YAML build-application: stage: build script: - composer install --no-interaction --prefer-dist --optimize-autoloader artifacts: paths: - vendor/ unit-tests: stage: test script: - php bin/phpunit --coverage-clover=coverage.xml performance-tests: stage: test script: - locust --headless --users 100 --run-time 60s --json

12. Phase 2: Performance tests and Analysis alidate code performance

13. Phase 3: Advanced Security Analysis Apply the Zero-Trust principle to

    our artifacts • Overall security : kubeconform, kubeconform, kube-score, polaris (scan all kubernetes chart and manifests) • security-scan-trivy: Static Application Security Testing (SAST) for vulnerabilities, secrets, and misconfigurations. • container-security-scan: Scans the final Docker image for operating system and library vulnerabilities. No one trusts an unscanned image. YAML security: stage: security-analysis script: kubeconform,kube-score, polaris security-scan-trivy: stage: security-analysis image: aquasec/trivy:latest script: - trivy fs --scanners vuln,secret,misconfig . container-security-scan: stage: security-analysis script: - docker build -t my-app:latest . - trivy image my-app:latest

14. kubeconform scan

15. Helm : ct lint

16. Trivy scan FileSystem + Container OS Layers

17. Phase 4: AI Enters the Scene (again) From automation to

    intelligent optimization. • ai-code-optimization: A Python script uses Gemini to analyze performance reports, code, and logs to suggest optimizations and predict failure points. • ai-test-generation: AI analyzes code coverage. If it's below a certain threshold, it generates new unit tests and creates a Merge Request for the team. YAML ai-code-optimization: stage: ai-optimization image: python:3.11-slim script: - python scripts/ai-analyzer.py --suggest-optimizations ai-test-generation: stage: ai-optimization script: - python scripts/ai-test-generator.py --coverage-threshold 90 # Crée une Merge Request avec les nouveaux tests

18. AI merge requests proposal

19. None

20. Phase 5: Application Packaging Create immutable and versioned artifacts •

    build-docker-image: The application is containerized in a Docker image, tagged with the commit hash for perfect traceability. • helm-package: The image and its configuration are packaged in a Helm chart, then pushed to an OCI registry. YAML build-docker-image: stage: package image: docker:20.10.16 services: - docker:20.10.16-dind script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA . - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA helm-package: stage: package image: name: alpine/helm:3.9.0 script: - helm package ./helm/my-app --version $CI_COMMIT_TAG - helm push my-app-$CI_COMMIT_TAG.tgz oci://$CI_REGISTRY/charts

21. Phase 6: GitOps Deployment →Staging Git as the single source

    of truth for deployment • The heart of GitOps: The pipeline does not deploy directly with `kubectl` ou `helm`. This is an anti-pattern ! • Declarative update: : Job `deploy-staging` clones the repository and updates the image version to be deployed, then pushes the change. • ArgoCD detects the divergence and automatically synchronizes the desired state in the Kubernetes staging cluster. • YAML deploy-staging: stage: deploy-staging script: - git clone gitops-repo.git # Update the image version in the config file (values.yaml) - yq -i '.image.tag = "$CI_COMMIT_SHORT_SHA"' gitops-repo/values.yaml # Commit & Push changes - git commit -m "Deploy app version $CI_COMMIT_SHORT_SHA to staging" - git push # ArgoCD takes care of the rest!

22. Alertmanager → Grafana annotations in Dashboards Mattermost notification

23. Phase 7-8: Validation, Production Validate, Promote, Deploy to production •

    e2e-tests: End-to-End (Cypress) and dynamic security (ZAP) tests are launched against the staging environment to simulate the user journey. • deploy-production: If E2E tests pass, the same GitOps process is triggered. The commit is "promoted" by updating the production environment configuration in the GitOps repository. YAML e2e-tests: stage: e2e-tests image: cypress/included:15.3.0 script: - cypress run --config baseUrl=https://staging.app.com deploy-production: stage: deploy-production script: - ./scripts/gitops-sync.sh "symfony-app" "production"
24. None
25. None

26. Phase 9: Post-Deployment Monitoring Verify application health in real conditions

    • post-deployment-monitoring: The pipeline does not stop at the`push`. It waits for the deployment to stabilize in production • It then performs a "smoke test" or "health check" to ensure that critical services respond correctly. • This is the first step of continuous feedback from the real environment, closing the deployment loop. YAML post-deployment-monitoring: stage: monitor script: - echo "Waiting for deployment to stabilize..." - check-health.sh - post-alert-on-alertmanager - notify-users - …
27. None

28. Phase 10: Intelligent Continuous Feedback AI analyzes all results for

    the team • The pipeline doesn't just succeed or fail. • In a reporting step, dedicated jobs analyze each artifact generated with Gemini. • The result? Relevant summaries and prioritized alerts sent to Mattermost, instead of simple 2000-line logs. • ai-container-scan-analysis • ai-ct-analysis • ai-dependency-analysis • ai-e2e-analysis • ai-gitleaks-analysis • ai-kubeconform-analysis • ai-kubescore-analysis • ai-lint-analysis • ai-performance-analysis • ai-polaris-analysis • ai-trivy-analysis • ai-unittest-analysis • ai-zap-analysis

29. A Strategic Advantage Why this approach transforms your software delivery

    Ultra-Fast & Intelligent Feedback • The team receives analyses, not just logs. Proactive Security • Security is integrated and automated at every step, not an afterthought. Reduced Cognitive Load • AI handles repetitive analysis tasks, allowing developers to focus on value creation. Auditability & Resilience • Thanks to GitOps, every environment change is tracked, auditable, and easily reversible.

30. Conclusion Your pipeline is your best asset The 2025 pipeline

    is no longer just an assembly line. It's an intelligent partner that secures, optimizes, and accelerates your innovation. By combining GitOps, AI, Zero-Trust, and Observability, we transform our delivery chain into a decisive competitive advantage.

31. [email protected] linkedin.com/in/herveleclerc github.com/herveleclerc Let's discuss the future of your pipelines!