Tooling Catalog

Use this catalog as a starting point, not a shopping list. Prefer tools that match the client's existing skills, hosting requirements, compliance needs, and budget.

Source and planning

• GitHub, GitLab, Azure DevOps, or Bitbucket for source control.
• Jira, Linear, Azure Boards, or GitHub Issues for delivery tracking.
• Backstage, Port, Cortex, or OpsLevel for service catalog and ownership.

CI/CD and release

• GitHub Actions, GitLab CI, Buildkite, CircleCI, Azure Pipelines, Tekton, or Dagger for build and test automation.
• Argo Rollouts, Flagger, Spinnaker, AWS CodeDeploy, Google Cloud Deploy, or Azure Deployment Environments for controlled rollout.
• LaunchDarkly, Unleash, OpenFeature providers, or Statsig for feature management.
• semantic-release, Release Please, python-semantic-release, towncrier, setuptools-scm, uv, Hatch, PDM, and Poetry for Python package releases.

Infrastructure and GitOps

• Terraform, OpenTofu, Pulumi, Crossplane, or cloud development kits for infrastructure definition.
• Atlantis, Terraform Cloud, Spacelift, Env0, Scalr, GitHub Actions, or GitLab CI for Terraform workflows.
• Flux or Argo CD for Kubernetes GitOps reconciliation.
• Helm, Kustomize, Carvel, or Jsonnet for Kubernetes packaging.

Secrets and identity

• AWS Secrets Manager, Azure Key Vault, Google Secret Manager, HashiCorp Vault, Doppler, Infisical, or 1Password Secrets Automation.
• External Secrets Operator, Secrets Store CSI Driver, SOPS, Age, and Sealed Secrets for Kubernetes delivery.
• Cloud IAM, Okta, Entra ID, Google Workspace, and OIDC federation for human and workload identity.

Observability and reliability

• OpenTelemetry for instrumentation and telemetry routing.
• Prometheus-compatible systems, Datadog, New Relic, Dynatrace, Honeycomb, Grafana Cloud, or cloud-native monitoring.
• PagerDuty, Opsgenie, incident.io, Rootly, or FireHydrant for incident response.

Security and compliance

• Trivy, Grype, Syft, Snyk, Dependabot, Renovate, Semgrep, Gitleaks, TruffleHog, Checkov, tfsec, and Terrascan.
• OPA, Gatekeeper, Kyverno, Conftest, Sentinel, and ValidatingAdmissionPolicy.
• Cosign, Rekor, in-toto, SLSA provenance, and artifact attestations.

Selection rules

• Prefer managed services when the client lacks operational capacity.
• Prefer open standards when future portability matters.
• Do not introduce Kubernetes GitOps unless Kubernetes is actually the runtime platform.
• Do not introduce Vault unless the client can operate it well or consume it as a managed service.
• Avoid tool sprawl; consolidate around a few well-owned workflows.