Skip to content

Engineering Principles

Quality is not delegated to QA at the end. Developers, reviewers, CI controls, deployment automation, and runtime feedback all contribute. A passing pipeline does not prove correctness, but a missing pipeline reliably creates blind spots.

The same commit should produce one runtime image. That image is scanned once, identified immutably, and published unchanged to the internal registries required by the target platforms. Rebuilding independently for AWS, Azure, and Snowflake creates unprovable differences.

Code, manifests, IaC, pipeline configuration, and standards are reviewed through Git. Manual changes are exceptional, recorded, and reconciled back to Git.

4. Secure by default, least privilege by design

Section titled “4. Secure by default, least privilege by design”

Credentials are short-lived where possible. GitHub Actions uses OIDC for cloud access. Workflows request minimum permissions. Images run as non-root. Secrets never belong in source or rendered manifests.

5. Automate repeatable judgement; preserve human judgement

Section titled “5. Automate repeatable judgement; preserve human judgement”

Formatting, linting, unit tests, known vulnerability detection, schema validation, and policy rules are automated. Architecture, business logic, risk acceptance, and release readiness still require accountable people.

Nexa standardizes tools to reduce duplicate findings and maintenance: Trivy for filesystem, IaC, and image scanning; Gitleaks for secrets; Semgrep for SAST; SonarQube for maintainability and quality trends; Syft for SBOM; Cosign for signing.

Cheap checks run early. Expensive image builds happen only after source quality passes. Integration, E2E, and DAST run after deployment in the appropriate environment. A developer should learn about simple errors before consuming a long runner job.

Reusable workflows and repository templates encode standards. Teams should configure image names and paths, not recreate security and publishing logic.

Every deployment must be traceable to a commit and image digest. Logs and pipeline summaries should answer what changed, what passed, what was deployed, and how to return to the prior version.

Nexa documents both current and target state. We do not pretend ephemeral environments or automated forward-merges already exist; we define the prerequisites and adopt them when the platform can support them reliably.