Coveo Integrates Snyk Into Its
Microservices Deployment Pipeline

Highlights

  • Integrated Snyk directly into the deployment pipeline for 49+ microservices
  • Ensured development speed for hundreds of developers without sacrificing security
  • Safely deployed 1,000+ releases in 3 months using automated CI/CD pipeline
  • Achieved zero downtime across 1,500+ customer deployments
  • Launched new deployment from scratch in just one week using automated pipeline

The Challenge: Scaling DevSecOps across microservices architecture

Coveo, an enterprise software as a service (SaaS) company, is a pioneer in AI-powered search and recommendations. Its cloud-first platform helps companies deliver large-scale personalization to their customers by offering relevant information at every stage along the customer journey. As digital experiences continue to evolve, Coveo has rapidly grown its development teams to meet growing demand.

Coveo’s innovative platform consists of 49+ microservices, each built with a different set of technologies. This diverse tech stack makes implementing company-wide application security challenging. Coveo wanted to not only scale its platform without compromising on security, but continue to increase its development velocity to keep up with customer expectations as well. To achieve this, the company knew it needed to integrate security directly into its continuous integration and continuous delivery (CI/CD) process.

“We have big goals when we think about our deployment process and product,” stated Alex Emery, Cloud Platform Product Manager at Coveo. “The key principles we always keep in mind are scaling to meet demand and increasing the velocity for developers, while minimizing production issues and still ensuring security.”

The Solution: Integrating security into the deployment pipeline

Since Coveo has such a diverse tech stack, their deployments rely on a number of disconnected elements, such as artifacts, infrastructure checks, database revisions, and more. That’s why Coveo built a streamlined deployment pipeline that is adaptable to different microservices—whether they’re built with Java, Typescript, Go, Python, or another technology—using Jenkins for continuous integration.

“At Coveo, we don’t believe that one tech stack is better than another,” Jean-Alexandre Beaumont, Security Engineer at Coveo. “So to embrace that idea, we need to be adaptable. We need to let every development team use any stack they want and still use the same deployment pipeline.”

Once new code is merged, Jenkins automatically runs code testing, Snyk security scanning, building, and packaging. Using the Snyk CLI, each package is assigned to a Snyk organization and scanned for open source licensing compliance and security vulnerabilities. This ensures that issues are detected and remediated as soon as any new code is pushed before any packages are deployed into production. In addition, a monitor is started for each package so that Coveo is notified of any new vulnerabilities that Snyk finds in the future.

“There are a lot of moving pieces when you deploy software,” explained Emery. “If you do it all manually, it’s time-consuming, tedious, error-prone, and you won’t want to do it very often. That’s why we knew we had to automate everything, including security, with Snyk.”

Scaling Snyk Across The Organization

With over 175 engineers working across 26 development teams, implementing Snyk required seamless integration with a variety of technologies and CI/CD pipelines to ensure adoption. By focusing on automation, the new deployment pipeline eliminates manual quality assurance tests, approvals, security scans, and other tasks that significantly slowed down the company’s previous continuous deployment efforts. 

In addition, the deployment pipeline abstracts some of the underlying processes, so developers don’t need to understand everything that goes into ensuring secure delivery of their code changes. The convenience of the integrated pipeline, especially with developer-friendly tools like Snyk, reduced the friction for adoption and enabled company-wide DevSecOps.

“The deployment pipeline was built by a small team first, and then made available to all developers later on,” revealed Beaumont. “We didn’t really need to convince any development teams to embrace the new pipeline because of all the advantages from a security and usability standpoint. The transition happened naturally.”

The Impact: Safely deploying over 1000 releases in 3 months

With its new deployment pipeline, Coveo has been able to accelerate its development efforts while scaling application security across the entire organization using automation. In fact, the company deployed over 1,000 code releases in just three months. Not only is Coveo able to safely deploy new releases more frequently, but they’ve had zero downtime across its 1,500+ customer environments as well. This is DevSecOps at scale.

“A few weeks back, we didn’t have anything running in Australia, and in under a week we were able to deploy our platform from scratch using the automated pipeline,” Emery said. “When you invest the time to automate everything and build a pipeline that works for your product, this is what you can achieve.”