Engineering Principles
1. Product quality is a system property
Section titled “1. Product quality is a system property”Quality is not delegated to QA at the end. Developers, reviewers, CI controls, deployment automation, and runtime feedback all contribute. A passing pipeline does not prove correctness, but a missing pipeline reliably creates blind spots.
2. Build once, promote the same artifact
Section titled “2. Build once, promote the same artifact”The same commit should produce one runtime image. That image is scanned once, identified immutably, and published unchanged to the internal registries required by the target platforms. Rebuilding independently for AWS, Azure, and Snowflake creates unprovable differences.
3. Git is the auditable source of intent
Section titled “3. Git is the auditable source of intent”Code, manifests, IaC, pipeline configuration, and standards are reviewed through Git. Manual changes are exceptional, recorded, and reconciled back to Git.
4. Secure by default, least privilege by design
Section titled “4. Secure by default, least privilege by design”Credentials are short-lived where possible. GitHub Actions uses OIDC for cloud access. Workflows request minimum permissions. Images run as non-root. Secrets never belong in source or rendered manifests.
5. Automate repeatable judgement; preserve human judgement
Section titled “5. Automate repeatable judgement; preserve human judgement”Formatting, linting, unit tests, known vulnerability detection, schema validation, and policy rules are automated. Architecture, business logic, risk acceptance, and release readiness still require accountable people.
6. Prefer a small authoritative toolset
Section titled “6. Prefer a small authoritative toolset”Nexa standardizes tools to reduce duplicate findings and maintenance: Trivy for filesystem, IaC, and image scanning; Gitleaks for secrets; Semgrep for SAST; SonarQube for maintainability and quality trends; Syft for SBOM; Cosign for signing.
7. Fast feedback first
Section titled “7. Fast feedback first”Cheap checks run early. Expensive image builds happen only after source quality passes. Integration, E2E, and DAST run after deployment in the appropriate environment. A developer should learn about simple errors before consuming a long runner job.
8. Make the safe path the easy path
Section titled “8. Make the safe path the easy path”Reusable workflows and repository templates encode standards. Teams should configure image names and paths, not recreate security and publishing logic.
9. Design for rollback and diagnosis
Section titled “9. Design for rollback and diagnosis”Every deployment must be traceable to a commit and image digest. Logs and pipeline summaries should answer what changed, what passed, what was deployed, and how to return to the prior version.
10. Evolve deliberately
Section titled “10. Evolve deliberately”Nexa documents both current and target state. We do not pretend ephemeral environments or automated forward-merges already exist; we define the prerequisites and adopt them when the platform can support them reliably.