Meet the newest orb in the CircleCI ecosystem: DeepFactor!
DeepFactor delivers continuous observability for DevSecOps, enabling developers to rapidly find and triage runtime Security, Privacy, and Compliance risks in their application while providing the AppSec team the ability to set guardrails, receive alerts, and have continuous visibility into every build. Start using DeepFactor in your CircleCI pipeline today and go from Runtime Blind™ to Runtime Ready™.
“We’re pleased to partner with DeepFactor. Their CircleCI orb makes it easy for developers to gain visibility into the runtime characteristics of their apps before release to production.” – Tom Trahan, VP of Business Development at CircleCI
“Good engineering teams ship fast; great engineering teams ship fast with confidence. Our platform enables Continuous Observability—the missing piece in the CI pipeline—and can help your team go from good to great.” – Kiran Kamity, CEO and Founder, DeepFactor
Why observability for DevSecOps?
You know finding security and compliance risks in your app before you deploy to production is important. And you’ve probably worked with your AppSec person to incorporate static code scanning/container scanning and possibly Software Composition Analysis (SCA) into your pipeline. But you are still missing a critical component – the ability to observe your app when it is running. You need observability for two main reasons:
- See the whole picture
Unless your app is running, you can’t find all of the insecure behaviors by simply looking at the code or the build artifacts or images; you are likely to miss entire categories of behaviors that only show up when your app is running, such as code execution risks at the system/lib call level, OWASP risks, API risks, etc.
- Decrease alert fatigue
When you watch a running app, you only look at what your app is actually doing, as opposed to looking at everything that is checked into your code repo; this means you receive significantly lower alert volume. For example, using observability in conjunction with SCA tools can help you get a prioritized list of vulnerable dependencies based on what your app actually used. This means less volume with a higher degree of accuracy and no more developer pushback around, “You told me there are 2000 vulnerabilities – which ones do I fix first?!”
How does DeepFactor observe my app?
Ah, so you want to know how the magic works! Here’s the scoop. DeepFactor supports most applications out of the box with just a simple command. You write zero code. And you don’t have to bother with language-specific instructions!
- Traditional/non-container apps:
- Docker apps:
- Kubernetes apps:
What insights does DeepFactor provide me?
How does DeepFactor integrate into my CircleCI pipeline?
- Build: use CircleCI to build the app
- Scan: scan using your SAST/SCA/Container image scanning tools for static visibility
- Test: turn on your automated tests
- Observe: run your app with DeepFactor for runtime visibility
- Deploy: use CD to deploy the app
What does it cost and how do I get started?
DeepFactor is free for 10 or fewer developers!
- Register for the DeepFactor community edition & install the DeepFactor portal
- Use the CircleCI orb integration to add DeepFactor to your pipeline
- Use the DeepFactor API and additional integrations with Jira/Slack/other for triaging and resolving DeepFactor’s findings
We’re excited to see you supercharge your CircleCI pipeline with DeepFactor! You no longer need to choose between shipping fast versus secure releases—DeepFactor empowers you to deliver both with confidence by providing continuous observability for DevSecOps. If you need assistance with your install, our customer success team is happy to help! Contact us here.
*** This is a Security Bloggers Network syndicated blog from DeepFactor's Continuous Observability Blog authored by Kiran Kamity, Founder & CEO. Read the original post at: https://www.deepfactor.io/blog/blog-circleci-partnership-integration