Software Development Lifecycle (SDLC)

The OpenBao Operator follows a secure-by-default SDLC, integrating security checks, automated verification, and provenance at every stage.

1. Lifecycle Overview

graph TD
    Plan --> Design
    Design --> Code
    Code --> Secure
    Secure --> Verify
    Verify --> Release
    Release --> Deploy
    Deploy --> Operate
    Operate --> Plan

    classDef phase fill:transparent,stroke:#9333ea,stroke-width:2px;
    class Plan,Design,Code,Secure,Verify,Release,Deploy,Operate phase;

2. Phase Detail

The lifecycle maps directly to our documentation and toolchain.

• Plan & Design

  ---

  Define requirements and architecture.

  • Compatibility Policy
  • Architecture Overview
  • Components

• Code & Implement

  ---

  Write code adhering to strict standards.

  • Coding Standards
  • Dev Setup
  • Project Conventions

• Secure & Verify

  ---

  Automated gates ensure quality and safety.

  • Security Practices
  • CI Pipeline
  • Threat Model

• Release & Deploy

  ---

  Build once, sign, and promote.

  • Release Process
  • Artifact Verification
  • Helm Charts

• Operate & Monitor

  ---

  Run reliably in production.

  • User Guides
  • Security Posture
  • Troubleshooting

3. Secure by Design

Security is not a separate phase; it is injected into every step of the process.

Phase	Tooling	Check
Code	golangci-lint	Static analysis for bugs and style
Deps	dependabot	Automated dependency updates
Verify	govulncheck	Known vulnerability scanning
Build	trivy	Container filesystem scanning
Release	cosign	Keyless signing of images and charts
Publish	gh attestation	Build provenance trails