Evolution at Scale Use Cases

[masterkhal]

Purpose

The purpose of this topic is to help members of the Evolution at Scale WG suggest ideas for use cases. Participants can use this issue to put forth ideas and discuss them.

As the number of issues increases, we will likely spawn use cases for which more in-depth discussion is required into their own issue. When this happens, we will link those new issues back to this one.

Use cases

The following is a list of use cases that would benefit from at-scale solutions

• Standardization as an enabler for automated evolution - All participants agreed on the need for standardization in order to effectively and efficiently automate evolution. The less standardization there is, the more complex the evolutionary transformations must become. To quote @0xAverageUser - "That which can not be standardised can not be scaled and secured"
• Upgrading library dependencies: Upgrading library dependencies is an essential activity as part of an overall program to secure the software supply chain. New versions of libraries bring with them patches for security vulnerabilities. As organizations grow and code repositories multiply, it is essential to develop a solution that can allow developers to quickly upgrade library dependencies that is not linear in effort
• Base image upgrades: Similar to upgrading library dependencies, there will be a constant need to update the base images for OCI containers as new versions are released
• Platform Migrations: Moving from one platform to another is becoming more and more common. For example, teams may choose to move to/from GitHub and GitLab, Jenkins/CircleCI/GitHub Actions, etc.. Doing these migrations should be done as efficiently and effectively as possible without requiring major efforts, and without each evolution becoming a multi-year program in of itself.
• CI/CD pipeline changes: There are many reasons why a large number of CI/CD pipelines may need to be updated at the same time, such as adding and removal of stages, new requirements regarding testing and/or artifact gathering, introduction of new gates into the process, addition of a new deployment target environment, adoption of a new tool as part of the pipeline for various purposes, etc... A concrete example of this is to pin versions of GitHub Actions instead of relying on the latest version by default. As per https://www.infoq.com/news/2025/04/compromised-github-action/, compromising GitHub Actions has become a popular vector to attack software supply chains.
• Dependency Management - As DevSecOps how can we come up with guardrails so there is less work required of the E@S automation. How can we evolve our systems now so that they are easier to automatically evolve them in the future. How do you score dependencies to understand your risk? Patch and remediation workload is not evenly distributed. How can we focus on the dependencies or parts of our systems are at highest risk/impact so that we can focus there first.
• Evolution away from a Dependency - If an issue is identified, can you automate the move away from it and to another that is sufficient for the use-case
• Compliance Model feeding into Automated Evolution inspired by CDM 6.0 how can we take the models and the data for things like compliance, controls, interop and feed that into automated evolution
• Coding and Design Standards - easily automate conformance to standards, including evolving standards.
• People Processes Delivery Workflow and Systems/Tools - In this new world the delivery workflow will also likely need to evolve. What new responsibilities are there? Are there a set of responsibilities/practices that are aligned with a role, existing or new? Things to consider include: Discovery, Analysis (of exposure to vulnerabilities/risk, of risky areas of repositories, etc), Shepherding change sets through completion and promotion to prod (at scale across not just many repos but many different segments of an organization with regards to ownership), etc.
• Morphir - is this something that the community would like to apply in this space?
• Discuss actual vulnerabilities - Given actual vulnerabilities, supply chain or otherwise (Cursor as an example?), we discuss to understand the situation and how Evolution at Scale may have been able to fit in to it. Also what can we do or have done to ensure our systems are in a state that they can leverage Evolution at Scale (touching on standardization)
• Multilanguage - How to secure and keep evergreen solution landscapes that are quite heterogenous. What guardrails do you use regarding onboarding tools for shift left
• Multienvironment - How do we take a look at deployment frameworks/platforms with regards to how it would feed into E@S, and also to avoid least common denominator while availing of the standardization.
• Agentic Workflows - How will E@S style single tools, services and systems fit into a landscape of orchestrated/choreographed automations to enable higher order evolutionary use-cases. This includes automated workflows that are inclusive of AI agents as well as human agents and deterministic services.
• Test Cases - Can we leverage an E@S approach for updating testing cases, such as making changes to environment set up (e.g. new/repointing end points or services or infrastructure, data preparation, etc...)
• Infrastructure as Code - Rolling out new VPC policies, changing cloud providers
• Database platforms - Migrating from one database provider to another can involve having to change from one SQL dialect to another. This can be a long and risk process as teams need to update ad-hoc SQL statement, stored procedures and various other DML, DCL and DDL constructs
• Documentation generation - A common use case for Agentic AI solutions is to generate documentation for existing code bases. Leveraging Agentic AI solutions could be an interesting use case to raise the level of documentation for a large number of existing code repositories