The Commonwealth Bank is aiming to help its software engineers get new features into production faster with the help of automated testing, vulnerability scanning, and code quality reviews.
Head of engineering tooling Helen Lau told last month’s GitHub Universe conference the bank is focused on introducing automated checks into the build process this financial year, primarily via GitHub Actions.
GitHub Actions is GitHub’s native CI/CD tool, and is used to create workflows that automatically build, test, publish, release, and deploy code, according to GitHub documentation.
Lau said that building automation into the CI/CD pipeline could help the bank meet security control and regulatory compliance requirements.
“We look at [the] requirements that we need to satisfy. For example, if we need to have a peer review [of the code], can we automate that in our pipeline? Can we do vulnerability scanning and automate that in our pipeline?” she said.
“That’s what we’re looking at in my team this financial year - automating that for our engineers across the bank so they don’t have to think about setting up maybe six or seven steps that are required from a regulatory point of view.
“We actually bake these in as our GitHub Actions mandatory steps. As long as you use [GitHub Actions], it does all that automatically for you.”
Lau noted that GitHub Actions is one of several supported CI/CD tools internally, though the bank had tried to slim down that number in recent times.
She added that the “north star” - ultimate aim - is to create a build environment where engineers “finish cutting the code, they hit commit, pull request approved, [and] in minutes that can go into production because it can [undergo] automated testing, vulnerability scanning, code quality etc."
“We want to leverage AI [and] automation to help our engineers shift their features from first commit to production in minutes.”
Lau said CBA’s engineers are currently measured in part on the time between their first commit to a GitHub repository and when the code is production ready.
“We track basically from your first commit of the code to it making it through from dev/test staging to production, because production is where our actual end user uses that feature,” she said. “So those sorts of timing we try to track.”
They are also measured on “lead time to restore, if an incident happens” that involves a feature they built and have ownership of.
“Those are key things for availability and resiliency of our services to customers,” Lau said.
“[Time to restore] actually has a customer impact, [and can] cause us to have a low NPS [net promoter] score.”
Lau said the bank is also a recent adopter of GitHub Advanced Security, an add-on used to scan for vulnerabilities in code, secrets that have inadvertently been added to repositories, and to map out code-based dependencies.
Lau said she was particularly concerned at the prospect of secrets - sensitive data such as API keys or passwords - finding their way into code.
“What keeps me up at night is secrets that made it to the source code and that made it to production,” she said.
“Those are the things I really look at and ensure that no one does anything silly. If they do, we catch it by the tool and automation, and prompt them to fix it at that moment rather than [when it’s] too late.”
Lau also briefly touched on the bank’s use of GitHub Copilot, a so-called AI pair-programming tool that is marketed as a way to improve developer productivity.
The bank said late last month that it had initially offered Copilot to 100 staff and would soon expand that cohort of users to 1000.
The approach is typical of the way the bank is experimenting with different AI-based tools, starting at a small scale before determining whether to proceed further.
“Sometimes people are saying why are you doing a small use case? Actually, we want to try all the stuff, but the thing is we need to take a pragmatic approach to saying what is the biggest problem, biggest bang for our buck? These are the things we need to test and learn,” Lau said.
“Once we’ve proven the value, then we do a scaled rollout and adoption.”
Lau added that only about one-in-five tools that are experimented with actually wind up being used at any scale.
“We are trying a lot of stuff - but it’s not 10 things we try, 10 things make it to production,” she said.
“Of the 10 things we try, maybe two or three things make it to production, but with those two or three things the yield is probably 10x or 20x of what we do today.”
