Resources Blog Microcosm: Your Gateway to a Secure DevOps Pipeline as Code

Microcosm: Your Gateway to a Secure DevOps Pipeline as Code

Development pipeline: “an automated manifestation of your process for getting software from version control into the hands of your users.”

Seems easy, right? Okay, not really. There are key questions to ask first. Who owns the integrated pipeline? What and how do you measure and monitor in order to assess pipeline health? What are the key qualities and attributes teams should look for? Oh, and there are 180 some odd tools available to fit in your DevOps pipeline.

To build your pipeline, you will need to assemble and integrate many moving parts. Of course, you’ll also want it to work with the first real deployment. After all, you’ve spent a lot of capital convincing your organization this was a worthwhile investment, but they are still nervous and skeptical.

If only there was a way to see and understand a pipeline without the large, initial investment of resources and even more precious time.

Enter Microcosm

A good friend of mine in the DevOps industry, Hasan Yasar (@securelifecycle), brought this topic to life  at a recent conference. Hasan, who works at the Software Engineering Institute (SEI) at Carnegie Mellon, discussed Microcosms during his talk, Secure DevOps Pipeline as Code, D-PaC. Hasan explained that Microcosm was developed at SEI as a miniature, secure DevOps pipeline that is available through infrastructure as code. It is a miniature version of what you would find in a large organization and is designed to help introduce people to development pipelines.

Stepping back a bit, Hasan reminds us that DevOps is about, “breaking down the communication silos to establish effortless efficiency/collaboration between teams because we’re all on the same team, striving for the same goal!” A deployment pipeline helps achieve this goal by integrating security into the deployment process.

To start assessing your development pipeline, Hasan laid out a number of key quality attributes in order to select the right tools.

Key Quality Attributes of a Pipeline








Automate-ability of manual tasks


Approvability - allows for manual approvals




Others based on the project



These attributes will help you seamlessly inject security at multiple points into a development pipeline, illustrated below.

Screen Shot 2018-05-04 at 2.04.15 PM

But, what about Microcosm? Well, it consists of four virtual machines and creates a secure DevOps pipeline via IaC using Vagrant, Chef, and Ansible. Each of these services are integral, but, working together, they are invaluable and create a Continuous Integration and Continuous Deployment platform with Secure DevOps best practices.

The first virtual machine offers:

  • Jenkins CI/CD service
  • OWASP ZAP web application security scanner
  • Selenium web application software-testing framework

The second virtual machine offers:

  • GitLab repository manager

The third virtual machine offers:

  • Media/Wiki service
  • Bugzilla issue tracker
  • Hubot chat bot

The fourth virtual machine:

  • Acts as a staging server for deployed instances of PetClinic Spring web application

All services and the project and open source and you can clone the repository at

What is next?

They plan to offer a microservice version and one with Docker containers/Docker Compose, and continue to update Chef recipes of services used to secure vulnerabilities.

You can watch Hasan’s entire 30-minute talk for free here.

Craving more on knowledge on DevOps?  Binge watch any of the 100 DevOps sessions, free of charge, from All Day DevOps here.

Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.