An A to Z Guide to Continuous Integration

Jun 25, 2017 By Sarah Vonnegut

The race to improve software quality and innovation has been around since the 1970s. Many processes and workflows have been created to help address the historical issues that prevent teams from developing high-quality applications quickly and reliably, yet enterprises continue their struggle to keep up.



Continuous Integration is a way to help build quality, security, and regulatory compliance into the SDLC. In agile development, Continuous Integration, or CI, asks developers to merge code changes into the central code repository often and consistently. Several times a day, builds are automated and unit tests and integration tests are performed. Because there are typically only small changes in code, each test can pinpoint specific changes that introduced a flaw or vulnerability.


The two main goals of CI are to ensure the high quality and good health of code, continuously, and to ensure a seamless flow between development, testing and deployment. Each organization needs to define for themselves how these goals are to be achieved, yet they provide a strong starting point for all organizations – from Netflix to SMB’s – looking to improve their development process.


There’s a lot involved in CI. To help get everyone up to speed, we’ve put together a dictionary of important terms and tools to understand and know, surrounding CI and more broadly, DevOps.


The ABC’s of CI


A – Agile & Apache Ant


Agile – Continuous Integration processes are  agile, which means they are characterized by short work phases, frequent reassessments, and adaptation of plans. Everything changes in business, and even more so in software development. The ability to facilitate change in development to better accommodate the business model and involved teams is part of what makes an organization agile – a key component in continuous integration. Agility is a key component of DevOps, as well.


Apache Ant – One of the top tools for build automation, a component of Continuous Integration. Ant is made primarily for Java and uses XML to note the build process and its dependencies.


B – Bamboo & Build Automation


Build Automation is the process of automating a build and its surrounding processes, either through a tool like Apache Ant or Maven, or on a dedicated build server. In short, build automation tools turn source code into executable code. The build automates each step of the process, from compiling source code to producing installers, to updating the database after the build is completed. Automating these areas not only speeds up the process, but eliminates many of the issues that arise with a manual build.


Bamboo is a continuous integration server by Atlassian which automates a build and test process once code is committed to the source repository. Test results are immediate, allowing developers to fix issues in near real-time.



C – Continuous Deployment and Continuous Delivery


Closely related to CI is Continuous Delivery, is a practice in which code can be deployed at any moment to production because of rigorous automated testing. The concept is based on the fact that automated builds and testing are so tightly integrated into the build that shipping is possible at any given moment.


Often paired with CI and following closely after Continuous Delivery, Continuous Deployment refers to the practice of shipping each time a version has passed testing.


The main difference between Continuous Delivery and Continuous Deployment is that deploying to production is manual in the former and automated in the latter.


D – DevOps


DevOps is the umbrella term for many of the processes including and surrounding Continuous Integration. DevOps is a cultural change in IT which adopts agile processes, including CI, Continuous Deployment, and Continuous Delivery, automation tools for builds and tests, and cultural changes like a higher rate of collaboration between development, operations, and security teams. DevOps was created to help businesses succeed in the fast-paced development world.


Dive deeper into DevOps here


F – Feedback

A tenant of DevOps and a major benefit of implementing Continuous Integration processes is rapid feedback. Feedback, in the form of build and test results, offer a full picture of the project’s state as often as CI takes place. By fixing issues based on feedback, the overall health of the project at hand is increased, which in turn improves software quality.


G – GIT & GitHub

Git is a version control system which tracks source code changes and updates the repository after CI is triggered.


GitHub is a web-based version of the Git version control system and hosts code online for access control, bug tracking, feature requests and task management. Any standard Git command also work on GitHub.


I – Integration Testing

Following unit testing in CI is integration testing, where code units are combined and tested as a group. Types of integration testing include big bang, bottom-up, top-down, and sandwich testing. Integration testing enables faster feedback on problems involving integrations, which can be fixed upon finding rather than at the end of the SDLC.


J – Jenkins & JIRA

Jenkins, like Bamboo, is a Continuous Integration server to help facilitate automated builds and tests. Written in Java, Jenkins also offers various plugins that allow it to work with other languages.


Read more about Bamboo vs. Jenkins here


JIRA is a bug and issue tracking tool used within the CI workflow to help detect and highlight issues found through automated testing.


M – Maven


Apache Maven is a build automation tool, primarily used for code written in Java but that can also be used on projects written in C#, Scala, Ruby and more. The tool differentiates the build from its dependencies, making detecting where issues arise much easier.


S – Security Testing & SonarQube


When it comes to Continuous Integration, another benefit could be increased security of the code through automated security testing. While unit testing and integration testing are enormously helpful in detecting functional and quality issues within the project, they don’t necessarily detect security issues. Security testing can be integrated into the CI workflow, however, and will similarly pinpoint security vulnerabilities that can be addressed immediately, rather than at the end of the SDLC.


Read more about Continuous Integration Security here.


SonarQube is an open source tool for code quality within a CI environment. The tool supports Java, C, PHP, JavaScript, Python, Swift and more, integrates with continuous integration tools including Bamboo and Jenkins, and build automation tools including Maven and Ant. Testing with SonarQube incorporates duplicated code, unit testing, bugs, code coverage and complexity, and can be used for security vulnerability testing, as well.


T – Test Driven Development

Underpinning CI is the Test-Driven Development (or Test-Driven Design) methodology, driven by building a strong application through meticulous testing. TDD runs on a process of initial testing, coding, and refactoring to solve found issues.


U – Unit Testing


Part of the automated test process involved in CI includes unit testing, which automatically tests the smallest possible code base individually to find issues as early as possible. The concept of unit testing is to isolate a specific area of a project to validate that it was written correctly.


V – Version Control


Version control tools like Git and GitHub log changes to code, configuration files and documentation to enable better management of changes and differing  versions of code. These tools are especially helpful when different teams work on the same project, which can often create confusion if not properly tracked.



The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.