Most Cortex customers begin their journey by populating their service and resource Catalogs, creating their first few Scorecards, and setting up any time-sensitive Initiatives. These features help bring visibility and accountability to internally developed software, revealing consistency issues and enabling teams to act quickly to resolve.

But along with improving existing software, it's equally important to ensure your team is building better from the start. While Scaffolder helps ensure standards are applied to new software, there may also come a time when you'll want the ability to actively block anything that doesn't meet your standards of excellence—without slowing your release velocity or negatively impacting your developers’ flow state.

You can use Cortex + your favorite CI/CD tool to programmatically prevent deployment of software that could put your business at risk (e.g. when a P0 (highest criticality) issue is found). Long term, this is an effective way to further reduce risk of security breaches, licensing issues, and customer-impacting bugs.

How to block deployments using an IDP

Cortex integrates with your CI/CD tool in order to block deployments. Below are the steps you’ll need to follow to set this up:

1. Choose data from 50+ integrations, or bring your own

Any rule you set up to block deployments will require data to trigger it. To make this job easier, Cortex provides 50+ integrations that can make data available to your Scorecards. Cortex can ingest data from your favorite tools such as Datadog, Snyk, Jenkins, and Grafana.

If you have in-house tools, or use a tool that Cortex doesn’t yet have an integration for, then you can still connect it to Cortex using our custom data API or a webhook.

2. Create rules to fail entities that don’t meet your quality bar

Once your data is available in Cortex, you can create rules that determine whether your service, resource, or domain meets your quality standards. Cortex will automatically run these rules whenever new data points come in and mark the entity as failing if one or more rules fail for it.

3. Send status to your CI/CD

Once you’ve set up rules in Cortex around the health and quality of your services and resources, you can use Cortex to automatically send your scorecard’s disposition to your CI/CD tools. This status can then be used to block deployments that don’t meet your quality standards of quality, security, compliance, etc.

Use cases

Integrating Cortex and your CI/CD can be a really powerful way to maintain the quality of your product. Cortex’s automated rules give your engineers instant feedback on their changes, based on your quality standards.

Here are a few examples of rules you can set up as part of this integration:

Security

Dependencies allow organizations to move faster by not reinventing the wheel for every part of their system. Unfortunately, they also carry security risks.

You can help mitigate these security risks by blocking deployments that contain known vulnerabilities. For example, Cortex integrates with Snyk, a tool for discovering vulnerabilities in your code and dependencies. Cortex even allows you to block deployments based on the severity of the CVE.

Compliance

While many open source licenses are very permissive, some might be incompatible with your codebase due to their restrictions. Licenses like the GPL and BSL can open your organization to legal challenges if code under these licenses is used improperly.

Cortex can connect to your Git provider (GitHub, GitLab, etc.) to pull in information about the licenses on any code you use. This data can help you build a rule around an allow-list or deny-list of licenses.

Cost mitigation

Hosting is an expensive business, and with pay-as-you-go pricing models it’s important to make your code as efficient as possible. Newer versions of libraries and frameworks often bring code optimizations that translate into reduced costs for your organization.

You can set up rules in Cortex to fail a service for using older and non-optimized versions of dependencies. This can lead to large savings, especially in critical path services.

How SolarWinds sets quality and security standards using Cortex

SolarWinds helps more than 300,000 businesses manage, monitor and secure their IT environments. In 2021, they introduced a “Secure by Design” initiative to bolster the provenance and security of their solutions. 

To support this initiative, SolarWinds uses Cortex both as a service catalog and to enforce best practices on their codebase. They have created multiple scorecards and are integrating them with CircleCI so that they can block deployments that don’t meet their high bar for quality and security.

SolarWinds’ scorecards include:

• A security scorecard that measures the quantity and severity (CVSS) of any vulnerabilities found within production services.
• A maturity scorecard that evaluates gamedays, runbooks, service guides, readiness probes, liveness probes, and proper Kubernetes resource configurations.

You can read more about how SolarWinds has used Cortex to improve their security and reliability in their full case study.

‍