Technical documentation

Security problem

Up to date technical documentation might not be the obvious candidate for a security topic, but it is. Good documentation will contain up-to-date diagrams and application designs. Furthermore, it will warn users about potential pitfalls when using product or integrating with it.

Maintaining up to date technical documentation is cumbersome task and not very popular among developers. For this reason documentation is usually either missing or is not updated frequently.

Security control proposal

Having documentation in the same repository as the code, makes it easier for developers to update the documentation files. Moreover, using VCS (version control system) makes tracking changes easier. When content is automatically built and rendered using CI/CD pipelines, it makes publishing and updating documentation easier. Anyone can review, update or propose changes to the repository. And having it written in text based format, such as markdown, makes it easy to browse even in the code editors.

Reference implementation


Hugo is a static site generator. It is used to generate static website from markdown files. You can use themes to customize your documentation. Hence, users would always find a familiar interface, when browsing documentation to your products.

To get started with Hugo see its Quick start guide.

In case your project is hosted on Gitlab, you can use the Gitlab Pages. The pipeline job that deploys contents of your documentation website would look something like this:



  - hugo
  - master

  - hugo
    - public
  - master

Practical implementation


The source code of this website can serve as an example implementation of documentation site being served using Hugo and Gitlab Pages. Website domain is configurable and Gitlab will even handle TLS certificates for you.

Also many products within Pan-net use Hugo for documentation rendering. Usually one of the jobs in .gitlab-ci.yml is dedicated to building the documentation.