Agencies starting DevSecOps can access new ATARC code repository

Teams creating a CI/CD pipeline will be able to collaborate using source code management.
code, developer, devops, devsecops, software
(Getty Images)

The nonprofit Advanced Technology Academic Research Center plans to help federal agencies start DevSecOps practices with a source code repository announced Monday.

The GitLab platform agreed to provide the ATARC DevOps Working Group access to its technology so teams can collaborate using source code management.

The working group’s DevSecOps Project Team will create a continuous integration, continuous delivery (CI/CD) software pattern — which leverages automation during development, testing and deployment — that agencies can use as they begin DevSecOps

“The end-state of this code repository will hold one, two or more working code snippets for each
CI/CD DevOps pattern,” said William Schwartz, a senior DevOps engineer with the Internal
Revenue Service, in the announcement. The code examples will enable agencies to “implement their own instance of the standard CI/CD pipeline template,” he said.


Experts say most federal agencies remain in a “waterfall” mindset, where security is tacked onto the end of software development, rather than fully integrated in the process. With that in mind, the National Institute of Standards and Technology wants to develop a DevSecOps framework for government.

Areas within the ATARC repository include:

  • Stages of the CI/CD pipeline development.
  • Managerial processes and theories.
  • Technical tools and applications.

The ATARC Software Factories initiative in April 2019 began preliminary work on the CI/CD pipeline included in the repository.

Tools and apps in the repository will include those used by agencies and industry for software development and delivery.


The DevOps Working Group uses an industry-standard branching strategy called GitFlow that allows the team to maintain a “production-worthy” codebase while providing branches for development, testing and debugging work.

“Agencies are in various stages of maturity in DevSecOps, sometimes even within the same agency itself,” ATARC founder Tom Suder told FedScoop. “Most agencies have at least started the DevSecOps journey with the purchase of stand-alone tools.”
Dave Nyczepir

Written by Dave Nyczepir

Dave Nyczepir is a technology reporter for FedScoop. He was previously the news editor for Route Fifty and, before that, the education reporter for The Desert Sun newspaper in Palm Springs, California. He covered the 2012 campaign cycle as the staff writer for Campaigns & Elections magazine and Maryland’s 2012 legislative session as the politics reporter for Capital News Service at the University of Maryland, College Park, where he earned his master’s of journalism.

Latest Podcasts