Thank you to everyone who joined our recent webinar on integrating Rule Security Analyzer with Pega Deployment Manager! The session generated excellent questions from our community, and we wanted to share these insights with everyone. If you haven't watched the webinar yet, you can view the full recording here: Pega Deployment Manager - Rule Security Analyzer Integration

Below are the questions our community asked during the live session, organized by topic to help you quickly find the information you need.

Pipeline Configuration & Deployment Stages

Q: Can the Rule Security Analyzer be added as a step in Dev just after the artifact is generated, rather than in the STG environment?

A: Yes, absolutely! While our demo showed the RSA task in the QA stage for illustration purposes, you can configure it in the Dev stage as well. Adding it earlier in your pipeline, even before artifact generation, can help catch critical vulnerabilities sooner and prevent unnecessary artifact creation when severe security issues are present. This aligns perfectly with shift-left security principles.

Q: Can we view the generated file directly under artifacts on the pipeline run within Deployment Manager, without having to switch to Dev Studio on PDM?

A: The RSA report is stored as a client artifact and is accessible from your client environment. Currently, to download the detailed vulnerability report, you navigate to the route-to-live environment's Artifacts section, select your pipeline, choose the deployment number, and download the report. This ensures you have access to comprehensive security findings with full rule specifications.

Integration with External DevOps Tools

Q: Can we use Rule Security Analyzer in Jenkins or GitHub Actions? Is there an API?

A: Currently, there is no explicit API exposed specifically for Rule Security Analyzer integration. However, you can achieve integration with Jenkins, GitHub Actions, or other orchestration tools by invoking Deployment Manager pipelines through the DevOps-exposed APIs that Deployment Manager provides. Rather than scripting security checks separately in each tool, you can trigger a Deployment Manager pipeline that includes the RSA task, leveraging the out-of-the-box functionality. This approach prevents you from having to rebuild the same automation across different DevOps platforms.

Version Compatibility & Requirements

Q: Is this available on Deployment Manager 5.6 and Deployment Services?

A: The Rule Security Analyzer integration is available with Deployment Manager as-a-Service on Pega Cloud, supporting Pega Infinity 23 and above. You'll need to be on the latest version of Deployment Manager service to access this functionality. It's not available in the 5.6 on-premises version.

Q: In which version of Deployment Manager is the Rule Security Analyzer introduced, and does it support all Pega versions starting from 8?

A: The integration is supported on Pega Infinity 23 and above with Deployment Manager as-a-Service on Pega Cloud only. The key requirements are the latest Deployment Manager service and a route-to-live environment running on Infinity 23+.

Advanced Capabilities & Customization

Q: Can the Rule Security Analyzer be customized? Can additional security checks be added if they are needed?

A: Currently, the integration uses the platform's built-in Rule Security Analyzer expressions and does not support custom expression configuration within Deployment Manager. However, we're interested in understanding specific requirements from the community. If you have particular security checks or custom expressions you'd like to see supported, please share your detailed requirements with us. The platform team continues to improve the expressions supported in Rule Security Analyzer with each Infinity release, and we'll consider how Deployment Manager can better support customization in future enhancements.

Q: Are there any plans to extend the blueprint capabilities in Deployment Manager?

A: We'd love to hear more about what you're looking for! Blueprint-based delivery represents a different development approach, and we're interested in understanding how automated deployment and security testing could add value to blueprint implementations. Please reach out with your specific use cases and requirements so we can explore meaningful ways to support blueprints within Deployment Manager workflows.

Q: Can we build a pipeline just with text-based prompts?

A: This is an intriguing idea! While not available today, we have similar capabilities on our roadmap. Currently, you can programmatically control pipeline orchestration using Deployment Manager APIs, we've seen examples where teams use simple Python scripts to kick off pipelines, pause deployments, and resume them via API calls. This provides text-based automation options, though not quite the natural language interface you might be envisioning. Stay tuned for future enhancements in this area.

Hotfix Deployment

Q: Is there a way to add additional checks to deploy hotfixes?

A: Could you elaborate on what specific checks you're looking for? We'd like to understand your requirements better.

Q: Today we have to request Pega Cloud to have hotfixes deployed. Is there a plan to expand deploying hotfixes using DevOps so the client has more control?

A: Currently, we don't have hotfix deployment automation on our roadmap. The process of coordinating hotfix deployment through Pega Cloud support serves an important purpose, it provides oversight and tracking of which hotfixes are applied across client environments. This helps the support organization maintain awareness of your system configuration, especially for security-related hotfixes, and assists with troubleshooting when issues arise. We recognize that automation would provide more control, but we need to balance that with maintaining proper governance and support visibility. We'll continue to evaluate this based on community feedback.

Additional Resources

For more information about implementing security-first deployment workflows:

• Review the Deployment Manager documentation
• Explore Rule Security Analyzer capabilities in the platform
• Join the Pega as-a-Service Expert Circle for ongoing webinars and expert guidance

Have More Questions?

If you have additional questions about Rule Security Analyzer integration, deployment pipeline configuration, or security testing strategies, please post them here in the community. Our product team and DevOps experts are actively monitoring discussions and ready to help.

You can also reach out to the DevOps Competency Center team for guidance on implementing these capabilities in your specific environment.

Watch the full webinar: Pega Deployment Manager - Rule Security Analyzer Integration