DevSecOps: Automating Security in CI/CD Pipelines

What is DevSecOps?

DevSecOps integrates security at every phase: plan, code, build, test, deploy, operate, monitor. Security tools run automatically in CI/CD, giving developers immediate feedback instead of waiting for a pre-release security review. Catch vulnerabilities when they cost $100 to fix, not $100,000 after deployment.

Pipeline Security Stages

Pre-commit (developer machine): gitleaks hooks scan staged changes for secrets, credentials, and API keys before reaching the repository.

Pull Request: SAST (code analysis), SCA (dependency vulnerabilities), IaC scanning (Terraform/K8s misconfigurations), license compliance.

Merge to main: full test suite, container image scanning, integration tests, compliance policy validation.

Deployment: runtime security validation, smoke tests, post-deploy DAST scan of staging.

SAST: Static Application Security Testing

Finds vulnerabilities without executing code: SQL injection, XSS, insecure crypto, hardcoded credentials.

Semgrep: fast, customizable rules, 30+ languages. Run on every PR with OWASP Top 10 and secrets rule sets. Block on ERROR-level findings. Checkmarx: enterprise with low false positives. SonarQube: quality + security combined. Bandit for Python, ESLint security plugins for JavaScript.

SCA: Software Composition Analysis

80%+ of application code is open source. Snyk: developer-friendly, GitHub-integrated, provides upgrade paths and patches. Dependabot: GitHub-native, auto-creates PRs for vulnerable dependency updates. OWASP Dependency-Check: open-source option. Renovate: automated dependency updates with configurable schedules.

Configure Dependabot for npm, pip, Docker, and GitHub Actions packages with monthly update schedules.

IaC Security Scanning

Checkov scans Terraform files for: missing encryption, overly permissive IAM, public storage buckets, unencrypted databases. tfsec adds Terraform-specific rules. Terrascan checks against security policies. Fail pipeline on HIGH or CRITICAL severity misconfigurations.

Kubernetes manifest scanning: kubesec scores resources and flags issues. Kyverno CLI validates against custom admission policies before cluster deployment.

Secret Scanning

Multiple layers: git-secrets and gitleaks pre-commit hooks scan staged changes for AWS keys, private keys, API tokens, connection strings. GitHub Secret Scanning auto-detects committed secrets and notifies service providers to rotate tokens. TruffleHog deep-scans entire Git history.

If a secret is committed: rotate immediately (assume compromised), remove from history with git-filter-repo, audit access logs.

DAST: Dynamic Testing

OWASP ZAP crawls running applications and tests for OWASP Top 10 vulnerabilities. Run ZAP baseline scan (passive) in CI after staging deployment. Full active scan for scheduled weekly testing. Fail pipeline on HIGH severity findings. Burp Suite Enterprise for scheduled scanning with detailed reporting.

DevSecOps Maturity Levels

Level 1: Manual security reviews, quarterly scans, no pipeline integration. Level 2: SAST and SCA in CI, developers review findings, security approves releases. Level 3: All tools in pipeline, security gates block deployments, metrics tracked. Level 4: Risk-based gates, MTTR tracked by severity, threat modeling automated. Level 5: AI risk scoring, predictive detection, continuous compliance.

KPIs: MTTD (vulnerability discovery time), MTTR by severity, percentage of deployments with all security gates, critical vulnerability trend, developer security training completion.