How to Create Audit-Ready Pipelines with Built-In Audit Reports

Written by: Tim Johnson
4 min read

DevOps is all about removing friction from the software development process. A common source of friction is the time, effort and resources necessary to conduct regular or on-demand audits. Risk management, release management or security operations are often tasked with producing audit reports yet don’t always have direct access to the tools or the data. Conducting an audit requires pulling people off current projects, finding the data, proving its integrity, then proving the integrity of the process.  One prospect told us that their entire DevOps tools team (six people) is taken offline twice a year - for a month at a time - just to produce audit reports. Any new release pipeline work, tuning, bug fixing, etc. came to a halt while they conducted their audits. 


It’s no wonder that the two most common business needs we hear from customers and prospects are:

  • Automated audit and traceability reporting

  • More time to spend driving value, rather than troubleshooting and auditing

CloudBees CD + Built-in Audit Reports

The good news is, with the release of CloudBees CD 2020.10, we are making audits a non-event by including three new built-in audit reports: Evidence Audit, Time Duration and Approvals Audit. Combine these new reports with CloudBees CD’s capability to automate and orchestrate software releases with native integration to CloudBees CI, and you get what we call audit-ready pipelines. The pipeline run itself becomes the audit trail.

See the new reports in action:

Now, all users has to do to produce an audit is select the report they want and click a button. Email it to the risk management team or the regulator and it’s done.

No more hunting for data. No time wasted slogging through logs. No need to take developers away from innovation to reproduce a build from months ago. No more heroic efforts by development or operations when an audit demand shows up from a regulatory agency.

Now, let's take a closer look at these new reports.

[Looking for more information? Watch this session from DevOps World 2020 on Audit-Ready Pipelines]

Evidence Audit Report

The evidence audit report collates all evidence that is being collected throughout the release pipeline run. This evidence is customized, with data from external tools, links to reports such as JIRA issues, SonarQube Scan results, ServiceNow tickets, etc., and pulls together all of these items into one report. This makes it easy to quickly see all of the inputs and outputs to the entire release process -- including detailed data from Jenkins builds that are associated with the release, like build outputs, code commits, test results and build artifacts.

Time duration reports identify delays in a given release, with task-level breakdowns of time, as well as durations for builds. Manual tasks are called out to zero in on delays caused by manual intervention.

Approvals Audit Report

For a given release, for compliance review reasons, visibility into who has interacted with the release in process and where is a key governance criteria. Essentially, regulators want to know who did what, when, whether they did that to the agreed standard and what data or notes did they use when they did it. The approvals audit captures every manual interaction with the release, through manual approvals or manual tasks - who made the approval, when and any approval comments they added. This includes who triggered any builds that are associated with the release.

Beyond Audit Nirvana

The value of these reports goes well beyond GRC requirements. They can be valuable tools for optimizing your operations.  The duration report and the approvals report provide a clear picture of where waste is present in the system. The change advisorary board (CAB) has the data and visibility to justify streamlining the process or eliminating those manuals steps. The possibilities are endless.

To learn more about how CloudBees CD can make your audits friction-free, visit

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.