Code push —Developer pushes the code to the AWS CodeCommit repository, which triggers an Amazon EventBridge rule to kick off the AWS CodePipeline run. 2 3 Build and containerize — The image is built along with dependencies that are downloaded through AWS CodeArtifact (artifact repository). Security analysis is recommended here with static code analysis (Amazon CodeGuru Reviewer*) and software composition analysis for Common Vulnerabilities and Exposure (CVE) vulnerabilities. Later, the image is containerized and pushed to an Amazon Elastic Container Registry (Amazon ECR) repository in the target account that is configured with the “Scan On Push” setting. Validate and deploy to Test — This stage makes an API call to Amazon ECR to validate the scan results. Amazon ECR will fail the build in case of critical CVE vulnerabilities detected, and send an Amazon Simple Notification Service (Amazon SNS) message notification. Additionally, ECR can be configured to open a ticket with an incident management system. If the scan results successfully pass the criteria, ECR deploys the image to the Test environment by triggering cross-account AWS CloudFormation deployment to avoid the need for crossaccount network access to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster endpoint. 4 Test and promote —Conduct testing on the test environment (integration, functional, penetration). You can also run dynamic analysis to evaluate application performance (using Amazon CodeGuru Profiler*) and security. If all tests are successful, promote the image by retagging the container image and pushing it to the Production ECR repository. This repository holds qualified images in case you need to roll back. 5 Manual approval (optional) — If needed to conduct any manual testing/verification on the Test environment, you can have a manual approval gate before moving to the Production deploy stage. 6 Deploy to Production — D
