Cloud computing has made life easier for IT teams around the world. No more buying and maintaining servers—just use what you need, when you need it. But the dizzying number of cloud services you now need to configure and maintain is complicated. HashiCorp offers automation tools that help to make cloud computing as easy as it was always meant to be.
Whether it’s deploying applications with HashiCorp Nomad, automating network configurations with HashiCorp Consul, managing secrets with HashiCorp Vault, or provisioning entire stacks of infrastructure with HashiCorp Terraform, HashiCorp is in the business of simplifying workflows for tech teams. That philosophy extends to its own staff as well. “We like to empower our employees to use the best tools to get their jobs done,” HashiCorp director of engineering services Matt McQuillan says.
HashiCorp was born on GitHub. Co-founder and CTO Mitchell Hashimoto pushed his first commit for the company’s first open source product, Vagrant, a tool for creating and sharing development environments, to GitHub in 2010.
“We’re a developer-first organization and we live and breathe GitHub,” says HashiCorp chief security officer Talha Tariq. “But it’s not just a developer platform for us. We have 12 organizations and at least 2,000 repositories that include code, documentation, and even security workflows like policies and automated tests.” GitHub is so deeply ingrained in HashiCorp’s culture that it’s even part of the sales team’s workflow. For example, sales engineers might create custom repositories for prospective customers to demonstrate how different products could integrate into their environment.
HashiCorp’s strong roots in open source are a big part of why GitHub is so central to the company. All of its core products have open source versions available on GitHub. McQuillan says that open sourcing its products is great for transparency. “It’s a big factor on the trust level for tools like Vault and Terraform,” he says.
Open source also helps get developers familiar with their products, which makes it easier for HashiCorp to hire. Many practitioners use HashiCorp’s products in their free time—using it for personal open source work—which makes the company an attractive place to work. Some developers from outside the company even contribute back to HashiCorp’s open source projects. “If we see someone that contributes quite a bit, we’ll reach out to them,” McQuillan says. “We put out a job offer to a top outside contributor to Vault when it first came out. That sort of thing was pretty common.”
HashiCorp’s GitHub-centric workflow also makes onboarding new hires a breeze. “At a typical company, the big question when you start out as an engineer is ‘how do I actually work?’” McQuillan says. “But many of our new employees are already familiar with the GitHub workflow. It’s easy to hire someone off the street and say ‘start using this. Plug in your existing login and we’re good to go.’”
HashiCorp and GitHub have evolved together over the years. HashiCorp partnered with GitHub for the launch of GitHub Actions, debuting a Terraform Action. HashiCorp now uses Actions internally for a variety of tasks, such as pushing builds to the company website or repository managers like Artifactory, new continuous integration tasks, and automating a variety of security tests.
“We do things like scan binaries for integrity, run code scanning and compliance checks, ensure policy enforcement, check to make sure labeling and tagging has been done,” Tariq says. “GitHub Actions makes security testing quick and easy. Setting up a batch of tests in real time that would otherwise have been a six- to nine-month project for us. These help us build security capabilities in many stages of software delivery lifecycle.”
GitHub Actions makes security testing quick and easy. Setting up a batch of tests in real time that would otherwise have been a six- to nine-month project for us. These help us build security capabilities in many stages of software delivery lifecycle.”
HashiCorp also relies on automated security tools like dependency management with Dependabot, as well as GitHub Advanced Security for Secret Scanning. “We don’t always automatically merge all of the pull requests that Dependabot generates—we choose to manually review more complex cases to understand the impact on releases,” Tariq says. “But GitHub is sitting on the knowledge base of whether open source dependencies have vulnerabilities, so it only makes sense to use it, and the workflow is incredibly simple.” He praised CodeQL for its improvements over traditional static analysis and its low rate of false positives.
Tariq says having the security tools in the same place as the code makes life much simpler for HashiCorp’s security team. “If you run detection, analysis, and remediation outside GitHub and you find an issue in a codebase, you have the added complexity of answering questions like: Who checked in the code? Who’s the owner of the codebase? Which team owns it? When was the last commit?” Tariq explains. “We know all of that if we do the work inside GitHub. It reduces so much other process complexity that you have to do if you are doing this within another third party tool.”
HashiCorp’s developers also run internal “Capture the Flag” exercises on GitHub to root out vulnerabilities. These involve splitting developers into different teams with the goal of patching vulnerabilities in a codebase they’ve been assigned and working to exploit vulnerabilities in other teams’ codebases before they exploit your own.
These exercises are fun, and they’re also practical. “Because these people know their own products, they’re good at figuring out how to break them,” Tariq says. “And once they realize that they can break them, they realize that hackers can break them in a customer’s environment. So the next thing they do is go and fix those vulnerabilities.”
HashiCorp uses GitHub for nearly everything it does, from sales to security. “It’s part of our DNA,” McQuillan says.