Continuous Integration (CI/CD) and Drupal: Where Are We Now?

What is CI/CD?

CI/CD (Continuous Integration / Continuous Delivery) is a methodology that optimizes software development steps based on agile processes and an end-to-end automated pipeline.

What are the benefits of CI/CD for your Drupal project?

1. Reducing risks

The use of CI/CD pipelines significantly increases the efficiency and speed of detecting and correcting code bugs early in the development process by automating the task. Fixing these risks now happens almost in real time, greatly reducing the risk of releasing buggy code that could impact production deployments.

2. Faster delivery

Automation through CI/CD pipelines accelerates delivery schedules by allowing teams to quickly build, test, and deploy features with a high degree of confidence.
Faster and more efficient delivery times lead to accelerated turnaround and more reliable releases.

3. Improved QA

Using a continuous integration pipeline offers better visibility for quality assurance teams in the development process and enables earlier interventions in the development cycle, leading to more stable and higher-quality code. The result is a more stable end product with improved quality assurance.

4. Increased transparency (optional, but may be relevant for some clients)

Adopting CI/CD processes leads to increased transparency and clarity throughout the development lifecycle.
Logs and reports generated at every stage provide a better understanding of the development process.

5. Automated code coverage and code security

An integral part of the automation pipeline is providing code and security coverage for the deliverable. Modern websites and applications consist of multiple layers of code and libraries, adding extra complexity, especially regarding tracking. Automated code and security coverage in the CI/CD pipeline gives the development team and clients a clearer view of the security status of the end product and greater transparency in the work required to protect against critical vulnerabilities that could affect production releases.

6. Compliance alignment

Automating security analysis and code coverage enables closer alignment with compliance standards required by certain industries. These include, among others, the top 10 from OWASP and the latest CVE alerts for popular third-party libraries.

Where do we stand?

2 active pipelines

We have decided to set up and use 2 independent pipelines, matching the types of projects we handle with Drupal: 

• A "build" pipeline—forgive the anglicism—which concerns our greenfield development projects (design, development, or overhaul of Drupal / Symfony sites or applications).
  This pipeline organizes tests in environments close to or matching real-life conditions. Control points are very strict to ensure a low error margin or security footprint.
   
• An audit pipeline for projects we take over, often under maintenance, already in production and developed by other Drupal teams or agencies.
  The audit pipeline can be used to quickly determine Drupal standards, security, and the maintainability level of a new project.

Jenkins Architecture

The proposed Jenkins architecture consists of the following high-level components:

• Jenkins Master / Worker Nodes: coordinate and execute build tasks.
• Supported services: 
  • Git Server;
  • OWASP (Dependency Checker - CLI);
  • SonarQube (Web Service);
  • PHP Deprecation Detector (CLI);

The build pipeline works on a project whose components are ready to be integrated and tested in environments close to or in real conditions. Controls in the "build" pipeline must be stricter to guarantee fewer errors and a security footprint when deployed in the production environment.

SonarQube

SonarQube generates a report that assesses code reliability (bugs), security (vulnerabilities and security hotspots), and site maintainability (technical debt). SonarQube can be connected to VSCode via a SonarLint extension. Every developer has the “SonarLint” extension in their IDE/VSCode.

Configuration parameters

Currently, the customizable and/or selectable build settings include: 

• Selecting a PHP version to build/audit;
• Selecting a Composer version;
• Options for dependency checks on the source code;
• Use of SonarQube;
• Defining environment properties related to usage with configuration file management for PhpStan and Sonarqube services.

Security and quality tests

We use the SAST methodology (Static application security testing) and other code and library coverage scanners such as the OWASP Dependency Scanner tool, which provide a detailed overview of code weaknesses that could potentially present a large attack surface in production if not detected early.

As part of the proposed Jenkins CI/CD pipeline, the following tools are used to provide detailed feedback on code quality and security level:

• OWASP Dependency Checker;
• SonarQube Scanner;
• Synk Integration.

Drupal-specific tools

We use some additional tools to check and estimate major updates of our Drupal platforms:

• Necessary PHPStan modules to check deprecated code when upgrading from Drupal 8 to Drupal 9, then Drupal 10.
• PhpDeprecationDetector: A useful tool providing broader detection of PHP deprecation from PHP7 to PHP8.

This architecture and the tools used are not set in stone. We have a reference working group, responsible for improving pipelines and rolling them out to development teams. In practice, they allow us to detect struggling projects that will be difficult to maintain and to alert clients about them. More importantly, they ensure better quality of our deliveries, an optimal security level, and extend the lifespan of our Drupal projects.

To go further – Interesting Jenkins Plugins: 
OWASP Dependency-Track - SonarQube Scanner - Mattermost Notification - HTML Publisher - NodeJS - Warning Next Generation - Conditional BuildStep - Config File Provider - Environment Injector.