The Build & Deploy Scanner detects how your project is built, packaged, and shipped. It identifies CI/CD systems, containerization, and infrastructure-as-code (IaC) during a normal scan and contributes those signals to your DriftScore. This article is for platform engineers, release owners, and anyone responsible for getting code safely to production.
What it detects
- CI/CD systems — the pipelines that build and deploy your code (for example GitHub Actions, Azure Pipelines, GitLab CI).
- Containerization — Dockerfiles and container configuration that define your runtime image.
- Infrastructure as code — declarative infrastructure definitions that provision and configure your environments.
Findings tell you which delivery technologies are present so you can reason about the full path from commit to production.
Why it matters
Upgrades rarely break in source code alone; they break where source meets infrastructure. A new runtime version interacts with your base image, your pipeline cache, and your IaC. If you upgrade application dependencies without accounting for the build and deploy layer, you discover the gap at deploy time — the most expensive place to find it.
Making the delivery layer visible means upgrade planning includes the pipeline and the image, not just package.json or the equivalent. For executives, it answers how standardized delivery is across the portfolio.
How to act
Scan the project:
vg
Confirm the detected CI/CD system matches reality and is current. Check that container base images are on supported versions and aligned with the runtimes your dependencies require. Review IaC findings to ensure environments are reproducible and version-pinned. When you upgrade a runtime, update the base image and pipeline in the same change set.
To enforce the result in your own pipeline, gate on drift:
vg scan --fail-on error
Triage tips
- Align container base image versions with the runtime your dependencies target.
- Treat an unpinned or outdated CI configuration as drift in its own right.
- Keep IaC and application upgrades in the same pull request so they review together.
Related
See the CI Integration guides for wiring scans into GitHub Actions, Azure DevOps, and GitLab CI. Pair this scanner with the Platform Matrix Scanner to predict build breakage across platforms.