Problem to solve
Companies need to be confident that they are compliant, and be able to prove it.
- Team leader
- Compliance officer
- External compliance auditor
Several enterprise companies (customers and prospects) have confirmed the need for this "Production change trace and audit dashboard". They have many varied compliance needs.
We prefer auditing to prove compliance rather than focusing on strict blocking of behaviors. To make that work, you need a rich audit dashboard to deliver confidence that processes are being followed (and results are being delivered).
For each change (MR):
- Why did we make this change (link to issue)
- Who made the change (authors of git commits)
- Who did the peer review (comments and approvals)
- Who released it to production (manual approval)
- Did the tests pass, what are the results, and what tests where run
- Did we do a performance test upfront and what where the results?
- How did this affect the code quality?
- Did all the security scans pass (5 types)?
- Changes to job and deployment config compared to previous change.
- Did we deployed to staging before production?
- Did we test the rollback (can test this in a review app by deploying older version and upgrading)?
- How did this change affect our metrics?
Provide a dashboard that let's compliance officers audit a project/team/organization's development so that they can know that what is currently deployed to production is compliance, and each change deployed is compliant.
Further iteration may include alerting on non-compliance (it should never block deployments).
Some of the above list is more of a "trace" or log for change management, which may not strictly be needed for a compliance report, but is useful and related. Or maybe it is needed and a great MVC, but true compliance needs to actually evaluate the content. e.g. listing the authors of the git commits is valuable for noticing unusual authors; is there any way to automate that detection?