How is version control (like Git) used in your projects?

• Score 1:No version control, files are shared manually or on network drives.
• Score 2:Version control is used, but not consistently for all projects or assets.
• Score 3:All code is in version control, but branching strategies are inconsistent.
• Score 4:A consistent branching strategy (like GitFlow or Trunk-Based) is used across teams.
• Score 5:Branching strategy is fully automated and integrated with CI/CD pipelines and issue tracking.

How does your team manage work and plan sprints?

• Score 1:Work is assigned ad-hoc with little formal planning.
• Score 2:We use a task board (like Trello or a physical board) but without structured sprints.
• Score 3:We follow agile ceremonies (stand-ups, sprints) but story points and velocity are not tracked.
• Score 4:We use Jira/Azure DevOps effectively, tracking velocity and using story points for planning.
• Score 5:Our agile process is data-driven, with automated reporting on cycle time and throughput integrated with our CI/CD pipeline.

How are your applications built and integrated?

• Score 1:Builds are done manually on developer machines.
• Score 2:Builds are scripted but must be run manually by a developer.
• Score 3:Builds are automated on a dedicated server but are run on a schedule (e.g., nightly).
• Score 4:Continuous Integration (CI) is implemented; every code push to any branch triggers an automated build.
• Score 5:CI is mature, with fast, parallelized builds (<10 mins) and automated feedback to developers via chatops.

How is security handled in your development lifecycle?

• Score 1:Security is an afterthought, addressed only after a security incident.
• Score 2:Manual security reviews are performed by a separate team just before release.
• Score 3:Some automated security tools (e.g., dependency scanning) are used, but not integrated into the pipeline.
• Score 4:SAST and dependency scanning are fully integrated into the CI pipeline, blocking vulnerable builds.
• Score 5:A comprehensive DevSecOps approach is in place, including SAST, DAST, IAST, and container scanning at all stages.

How are your application packages (e.g., JAR, Docker image) managed?

• Score 1:Build outputs are stored on local machines or shared drives.
• Score 2:A central file server is used, but with no versioning or metadata.
• Score 3:We use an artifact repository (like Nexus, Artifactory) but management is manual.
• Score 4:The CI pipeline automatically versions and pushes immutable artifacts to a repository.
• Score 5:Artifact management is fully automated, with security scanning, metadata tagging, and promotion between environments.

What is your approach to application packaging and runtime consistency?

• Score 1:Applications are deployed directly on operating systems, leading to "works on my machine" issues.
• Score 2:We use virtualization (VMs) but environments are still inconsistent.
• Score 3:Some applications are containerized (e.g., using Docker) but it is not standard practice.
• Score 4:Most new applications are containerized and run on a container orchestrator (e.g., Kubernetes).
• Score 5:All applications are built as lightweight, secure container images and managed declaratively in Kubernetes.

How do you provision and manage your infrastructure?

• Score 1:Infrastructure is provisioned manually through a cloud console or ticketing system.
• Score 2:We use scripts (e.g., Bash, PowerShell) to automate some repetitive tasks.
• Score 3:Some infrastructure is managed using IaC tools (e.g., Terraform, ARM), but state management is a challenge.
• Score 4:All infrastructure is managed declaratively using IaC, stored in Git, and applied via automated pipelines.
• Score 5:IaC is fully mature, with automated testing, policy-as-code (e.g., Open Policy Agent), and self-service infrastructure for developers.

What is your approach to testing?

• Score 1:Testing is entirely manual and performed only before a major release.
• Score 2:Some automated tests (e.g., unit tests) exist but are run manually by developers.
• Score 3:Automated unit tests are part of the CI process and must pass for a build to succeed.
• Score 4:Automated unit, integration, and acceptance tests are part of the CI process, providing good coverage.
• Score 5:Comprehensive, fast, and reliable automated testing (including performance and security) is integrated at all stages of the pipeline.

How do you monitor your applications and infrastructure in production?

• Score 1:We only react to user complaints or system failures.
• Score 2:Basic server monitoring (CPU, memory) is in place, but we lack application-level insight.
• Score 3:We have implemented centralized logging and basic application performance monitoring (APM).
• Score 4:We have dashboards with key business and operational metrics, with automated alerting on deviations.
• Score 5:We practice full observability with distributed tracing, structured logging, and metrics, enabling us to proactively debug and optimize.

How does your team learn and improve from its processes and production incidents?

• Score 1:There is no formal process for feedback or improvement; we just fix bugs as they come.
• Score 2:We have sprint retrospectives, but they rarely lead to concrete actions.
• Score 3:We conduct blameless post-mortems after incidents, but tracking improvements is manual.
• Score 4:Key DevOps metrics (like DORA metrics) are tracked and reviewed regularly to identify bottlenecks.
• Score 5:A culture of continuous improvement is embedded, with automated feedback loops from monitoring tools directly into our planning process.