Orca Security

Securing the main branch

Orca Security

Location

Tel Aviv, Israel

Customer since

Jan 26, 2022

John Basila

Senior Software Engineer

Company

Company

For companies that have all their deployments in the Cloud, Orca Security provides a single SaaS-based cloud security platform for workload and data protection but also cloud security management, vulnerability management, or even compliance management. Orca Security is agentless and frictionless, avoiding interference with production components. The company employs more than 400 people, half of whom are developers.

Challenges

Challenges

Increase developer velocity

Secure the code

Improve traceability

Orca Security Before Using Mergify

A few years ago, Orca Security moved its mono-repo to GitHub. This move was motivated by the services offered by GitHub and, more particularly, the CI tool they provided. The promise was quite simple to handle: you develop, you create a pull request, you run the CI test, you approve the pull request, and then it's merged.‍

But once the pull request was merged, they still had to do a quality gate on the new content merged into the main branch. Sometimes, that failed.‍

If the workflow was scalable enough for a team of 20 people, it became hard to maintain when the team reached 50 and then 100 people. Indeed, working on a mono-repo means every developer pushes changes to the same and unique repository. They were aware the chances of breaking it were incredibly high.‍

It resulted in broken code caused by conflicts with the main branch, merging outdated pull requests, and dependencies on other pull requests not being respected.‍

Once broken, they needed to find which pull request broke the code and who was the owner of that particular pull request. This process made tracking root causes uneasy and wasted a ton of time while happening multiple times daily.‍

This workflow started to annoy the team.‍

To avoid that, Orca Security tried to create more quality gates on the developers' side. That crippled them, and their developer velocity crashed.‍

Fond of building systems, John started to check how other companies — such as Facebook or Google — managed their mono-repo. He found out at this time that Facebook was letting the pull requests be merged, and then they ran the quality gates. If those gates failed, they started hunting down the single pull request that caused the problem, reverted that code, and notified the user. Nothing satisfying.‍

Deepening his research, John discovered an open-source project called Bors. The promise was exciting. They tried to use it, but many issues occurred, from missing features such as managing squashed pull requests to the struggle to integrate Bors into GitHub. They wanted more. At the end of the day, they closed pull requests and did not merge them.‍Moreover, Bors does not offer managed services as an open-source project. They had to create and staff a dedicated team to use Bors efficiently. Problem: that's neither their expertise nor their job. This was not a cost-efficient option for Orca Security since it would have required two full-time engineers to maintain the system.

On good days, we can merge up to 50 PRs a day. And by a day, I mean working hours. Infinitely more than before, because without Mergify we had incredibly high chances of breaking the code with 50 PRs.

John Basila

Senior Software Engineer

Orca Security's workflow with Mergify

Orca Security has two workflows that run to sanitize the code before entry into the main branch, and they both work with Mergify.

Their processes are relatively lean: you create a branch, then a pull request, and you get it approved. Once you are satisfied with your pull request, add a merge label. At this point, Mergify takes control of the pull request. Mergify's bot adds the pull request to the merge queue, and it will test the pull request against the main branch. The pull request is merged in if it passes all the tests and checks.‍

Orca Security could nearly do that with Jenkins alone, but only one pull request at a time. Nevertheless, since their CI ran for over an hour, it wasn't charming. In the best scenario, they could merge 24 pull requests daily.‍Thanks to Mergify, its merge queue, and its batch feature, Orca Security can test and merge up to 16 pull requests in one hour in a single batch.

The change in developers' lives is amazing. When the code was broken, maybe half of the company was hunting the problem and looking for a solution. Now Mergify automatically finds the faulty PR and sends it back to the owner. Now the developers just code, create a PR, slap the “Merge” label and then focus on another task. They will be notified if the PR is merged or disembarked.

John Basila

Senior Software Engineer

Increase developer velocity, secure the code, and simplify developers' lives with Mergify.

Orca Security no longer cares if there are failures at DockerHub or GitHub and the queue fills up. They know that when everything is fixed, Mergify will merge all the pull requests, and the queue will be empty within a few hours.

On good days, at the end of sprints, for example, Orca Security can merge up to 50 pull requests daily — and only during working hours. According to John, it is "infinitely more than before" because, without Mergify, there were incredibly high chances of breaking the code with 50 pull requests.

Another feature that helps them a lot is the event log. A game changer for pull requests' traceability and visibility of what is happening. For example, if the queue is stuck, they spot the problem using the event log and easily and quickly understand what happened.

Orca Security also uses priority management. Most of the time, everything flows perfectly, but sometimes, a critical pull request needs to be treated and merged as a priority. Orca Security can manage priority to stop all the current actions and focus on this particular pull request.

Streamline your CI workflow

Streamline your CI workflow

Streamline your CI workflow

Streamline your CI workflow