Contents
- Version Control: GitHub and GitLab
- CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI
- Containers: Docker and Podman
- Orchestration: Kubernetes, ECS, Nomad
- Infrastructure as Code: Terraform, Pulumi, CloudFormation
- Observability: Datadog, Grafana, New Relic
- Security in the Pipeline: Snyk, Trivy, SonarQube
- Next step
- Frequently asked questions
- Do we need Kubernetes if we only run 5–10 services?
- Is Jenkins still a valid choice in 2026?
- Terraform or OpenTofu?
- How do we control observability costs?
- Should security scanning block the pipeline?
- How many engineers do we need to run this stack?
Most engineering organizations already use DevOps tooling, but few have a stack that scales without friction. The typical pattern: GitHub for code, Jenkins jobs nobody wants to touch, a Kubernetes cluster managed by two people, and observability split across three vendors. The result is slower releases, higher cloud spend, and a security backlog that grows every quarter.
This guide lays out a recommended DevOps stack for 2026, layer by layer. It is opinionated: we prioritize tools that are production-proven at scale, have healthy commercial and community support, and integrate cleanly with each other. If you are starting from scratch or consolidating a legacy stack, use it as a reference architecture.
For foundational context, see what DevOps is and why it matters before selecting tools. Tool choice without clear practices is how teams end up with expensive dashboards and the same release cadence.
Version Control: GitHub and GitLab
Version control is the entry point of every pipeline, and in 2026 the practical choice is between GitHub and GitLab. Bitbucket still has users, but momentum and integration depth are concentrated on the other two.
GitHub is the default for teams that want the broadest ecosystem: Copilot, Actions, Advanced Security, and the largest pool of engineers already familiar with the platform. GitLab wins when you need a single tool covering SCM, CI/CD, container registry, and security scanning under one license, especially in regulated environments or on-premise deployments.
A simple decision rule:
- Choose GitHub if your team is cloud-native, uses many third-party integrations, and values ecosystem reach.
- Choose GitLab if you want one vendor end-to-end, need self-hosted at scale, or operate under strict compliance constraints.
CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI
For new projects in 2026, GitHub Actions and GitLab CI are the defaults. They live next to your code, scale on managed runners, and eliminate the operational cost of running a build server. Pipelines are defined in YAML, versioned with the repo, and reviewed through pull requests.
Jenkins is still relevant in two scenarios: large legacy estates with hundreds of existing pipelines, and highly customized workflows that benefit from its plugin ecosystem. The tradeoff is operational overhead—someone has to own the controller, agents, and plugin upgrades. If you are migrating off Jenkins, plan a 6–12 month phased rollout, not a big-bang rewrite.
CircleCI remains a strong option for teams that want a fast, SaaS-only CI independent of their SCM vendor, particularly when build performance and caching are critical. For most organizations, however, consolidating CI/CD with the SCM platform reduces the integration surface and simplifies permissions.
Containers: Docker and Podman
Docker is still the reference runtime for local development and the default image format across every major registry. Docker Desktop licensing pushed some teams to alternatives, but the OCI image standard means your build artifacts are portable regardless of the tool that produced them.
Podman is the credible alternative, especially on Linux workstations and in rootless production scenarios. It runs without a daemon, integrates with systemd, and is a drop-in replacement for most docker commands. Red Hat–aligned shops and security-sensitive environments increasingly standardize on Podman.
Practical recommendation: let developers choose between Docker Desktop and Podman locally, but standardize on OCI images and a single registry (GitHub Container Registry, GitLab Registry, ECR, or Artifactory) for everything that ships.
Orchestration: Kubernetes, ECS, Nomad
Orchestration is where tool choice maps directly to operating model and cloud spend. Kubernetes is the default for teams running polyglot workloads across multiple environments, but it is not always the right answer. For a deeper comparison, see Kubernetes vs Serverless: when to choose each.
- Kubernetes (EKS, GKE, AKS): the right choice when you have 20+ services, multiple teams deploying independently, and the engineering capacity to operate it. Expect a platform team of at least 3–5 engineers to run it well.
- Amazon ECS (with Fargate): faster to adopt, lower operational overhead, and a good fit for AWS-only shops with moderate workload complexity. You trade flexibility for simplicity.
- HashiCorp Nomad: useful when you need to orchestrate mixed workloads (containers, VMs, batch jobs) or when Kubernetes is overkill for your footprint.
The honest answer is that most mid-market companies running fewer than 15 services should start with ECS/Fargate or a managed PaaS, and move to Kubernetes only when the workload justifies the platform investment.
Infrastructure as Code: Terraform, Pulumi, CloudFormation
Manual cloud configuration is how audits fail and how teams end up with drift nobody can explain. Infrastructure as Code is non-negotiable in 2026. For a broader view of automating your environment, see infrastructure automation: optimizing your technology environment.
Terraform (and its OpenTofu fork) remains the most common choice for multi-cloud IaC, with the largest provider ecosystem and the most mature community modules. Licensing changes pushed part of the community to OpenTofu; for most teams, either works, but pick one and commit.
Pulumi is the right choice when your engineers prefer real programming languages (TypeScript, Python, Go) over HCL, and when you want tighter integration between application and infrastructure code. CloudFormation is still a reasonable default for AWS-only shops that want first-party support and deep service coverage, though it lags in developer experience.
| Tool | Best fit | Language |
|---|---|---|
| Terraform / OpenTofu | Multi-cloud, broad ecosystem | HCL |
| Pulumi | Developer-centric teams, app+infra parity | TS, Python, Go |
| CloudFormation | AWS-only, first-party alignment | YAML/JSON |
Observability: Datadog, Grafana, New Relic
Observability is where DevOps budgets quietly explode. A realistic 2026 stack covers metrics, logs, traces, and synthetic monitoring—ideally through one correlation layer.
Datadog is the premium option: fast time-to-value, deep integrations, and a single UI for the full signal set. The tradeoff is cost, which scales aggressively with host count and log volume. [VERIFY: Datadog pricing benchmarks for 2026 enterprise deployments].
The Grafana stack (Grafana + Prometheus + Loki + Tempo, or Grafana Cloud) is the strongest open-source-aligned alternative. It gives you control over cost and data retention, at the price of more engineering work to operate. New Relic sits between the two, with a consumption-based pricing model that can be attractive for teams with predictable volume.
Regardless of vendor, enforce three rules: instrument with OpenTelemetry (vendor-neutral), define SLOs per service, and cap log ingestion with sampling. Observability without SLOs is just expensive dashboards.
Security in the Pipeline: Snyk, Trivy, SonarQube
Shift-left security is table stakes in 2026. The goal is to catch vulnerabilities at commit and build time, not in production. A minimum viable pipeline security stack includes:
- SAST (static analysis): SonarQube or GitHub/GitLab native scanners for code quality and security issues.
- SCA (dependencies): Snyk or Dependabot/Renovate for third-party vulnerabilities and license compliance.
- Container scanning: Trivy (open source, fast, broad coverage) or Snyk Container integrated into the build step.
- Secrets scanning: native GitHub/GitLab scanning plus a pre-commit hook like gitleaks.
The most common mistake is treating these as gates that block every release. Instead, define severity thresholds: critical and high vulnerabilities block the pipeline; medium and low generate tickets. Per [VERIFY: IBM Cost of a Data Breach 2025 figure for average breach cost], the economics of catching issues early are clear—but only if developers actually receive actionable findings rather than noise.
Next step
The right DevOps stack is the one your team can operate, not the one with the most logos. If you are consolidating tools, migrating off Jenkins, or building a platform team from scratch, contact us to book a 30-minute diagnostic with our DevOps and Cloud practice.
Frequently asked questions
Do we need Kubernetes if we only run 5–10 services?
Probably not. ECS with Fargate, Cloud Run, or a managed PaaS will deliver faster time-to-value with less operational burden. Move to Kubernetes when workload complexity, multi-cloud requirements, or team size justifies the platform investment.
Is Jenkins still a valid choice in 2026?
For existing large installations with hundreds of pipelines, yes—migration is expensive and rarely urgent. For new projects, GitHub Actions or GitLab CI are the better default due to lower operational cost and tighter SCM integration.
Terraform or OpenTofu?
Both are viable. OpenTofu is the open-source fork after the license change; Terraform has HashiCorp's commercial backing and HCP Terraform. Choose based on your stance on licensing and commercial support; the HCL syntax and most modules are compatible.
How do we control observability costs?
Three levers: standardize on OpenTelemetry to avoid vendor lock-in, sample logs and traces aggressively (especially in non-production), and define SLOs so you only alert on what matters. Reviewing ingestion volume monthly is non-optional.
Should security scanning block the pipeline?
Only for critical and high-severity findings with known exploits. Blocking on every medium or low finding creates alert fatigue and pushes teams to disable scans. Tune thresholds per service based on exposure and data sensitivity.
How many engineers do we need to run this stack?
For a mid-market company with 30–80 engineers, a platform team of 4–6 people covering CI/CD, cloud infrastructure, Kubernetes (if used), and observability is a reasonable baseline. Premium staff augmentation is a faster path than hiring from scratch in tight markets.