What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 8 min read

Open Source DevOps Stack: A Practice Maturity Checklist for SMEs

The Stack Every Small Team Runs

Successful small and medium engineering teams converge on the same open source DevOps stack:

Git + GitHub/GitLab — Version control and collaboration
Jenkins or GitHub Actions — CI/CD automation
Docker — Container runtime
Kubernetes — Container orchestration (when they scale)
Terraform — Infrastructure as code
Prometheus — Metrics and monitoring
Grafana — Visualization and dashboards

These tools are table stakes. But having them doesn't mean using them well. The difference between a thriving team and one that struggles is not the tool selection—it's practice maturity.

Why Practice Maturity Matters More Than Tools

You can have Prometheus running and never check the dashboards. You can have GitHub branch protection enabled and not enforce it. You can have Terraform infrastructure-as-code and deploy without testing. The tools exist, but the practices don't.

Practice maturity describes the consistency and rigor with which your team uses these tools. A team at Level 2 (ad hoc) might have CI/CD, but builds fail randomly and no one investigates. A team at Level 4 (managed) treats CI failures as critical—they're investigated within minutes and root-caused. Same tool, entirely different outcomes.

The DevOps Practice Maturity Checklist

Use this checklist to measure your team's practice maturity across key DevOps areas. For each practice, Level 2 is "inconsistent," Level 3 is "defined and consistently followed," and Level 4 is "measured and actively improved."

Code & Branching

☐ Main branch is protected; direct commits prevented
☐ All changes require pull request review (100% compliance)
☐ Code review standards are documented (what gets checked?)
☐ Reviews are completed within 24 hours (not blocked)

Testing & Quality

☐ All code changes trigger automated tests
☐ Tests must pass before merge (not optional)
☐ Code coverage is tracked and reported (not just run)
☐ Meaningful test quality is validated (not just coverage %)
☐ Tests catch real bugs (postmortems reference test gaps)

Deployment & Release

☐ Deployments use infrastructure-as-code (Terraform, etc.)
☐ Production deployments require approval (gated process)
☐ Rollback procedure is documented and tested
☐ Deployment logs are captured and reviewed
☐ Canary or staged deployments are used for major changes

Monitoring & Observability

☐ All production services have metric collection (Prometheus, etc.)
☐ Key metrics are visualized on dashboards (Grafana, etc.)
☐ Alerts are configured for critical metrics
☐ Alerts are routed to on-call team and responded to
☐ Logs are aggregated and searchable

Incident Response

☐ On-call rotation is defined and managed
☐ Incident severity levels are defined
☐ Postmortems are documented after incidents
☐ Root causes are analyzed, not just symptoms treated
☐ Action items from postmortems are tracked and closed

Supply Chain & Security

☐ Dependency scanning is automated in CI
☐ Known vulnerabilities block builds or require approval
☐ Container images are scanned for vulnerabilities
☐ SBOMs (Software Bill of Materials) are generated
☐ Secrets are not committed to git (scanning enforced)

From Ad Hoc to Managed: The Maturity Journey

Most small teams start at Level 2 (ad hoc): "We have the tools, but usage is inconsistent. Some people follow the practices, others don't."

Level 3 (Defined) is when practices are documented, enforced, and consistently followed. Code reviews happen on every PR. Tests always run before merge. Deployments always go through approval. Incidents always get postmortems.

Level 4 (Managed) is when you measure the practices. How long are code reviews taking? How often do tests catch bugs? How frequently do deployments fail? What's your average incident recovery time? At Level 4, you have data, and you use it to improve.

Most high-performing small teams operate between Level 3 and Level 4. They enforce the practices, and they measure them. That discipline is why they ship more reliably.

Using Your Checklist

Walk through this checklist with your team. For each practice, ask: "Do we do this? Is it consistent? Do we measure it?"

If you're checking lots of boxes, you're at Level 3+ maturity. If you're at 50-70% compliance, you're Level 2 (ad hoc). If you're below 50%, you have practice gaps that are likely costing you in production incidents and engineering friction.

The good news: these practices don't require expensive tools. They require discipline and consistency. Your free open source stack is perfectly capable. The question is whether your team uses it that way.

Related Guides

Want a comprehensive view of your DevOps practice maturity across all 50 protocols?

Start with a free Foundation Scan →