Jonatan Matajonmatum.com
conceptsnotesexperimentsessays
© 2026 Jonatan Mata. All rights reserved.v2.1.1
Concepts

DevSecOps

Integration of security practices throughout the software development lifecycle, automating security controls in the CI/CD pipeline.

seed#devsecops#security#shift-left#automation#ci-cd#compliance

What it is

DevSecOps integrates security as part of the development process, not as a gate at the end. "Shift left" means moving security controls as early as possible in the development cycle.

Security at each stage

StageControls
CodeSAST, secrets scanning, dependency check
BuildContainer scanning, SBOM
TestDAST, penetration testing
DeployPolicy as code, admission control
RuntimeWAF, anomaly detection, RASP

Tools

CategoryWhat it detectsToolsWhen to run
SASTSource code vulnerabilitiesSemgrep, SonarQube, CodeQLOn every PR
SCAVulnerable dependenciesSnyk, Dependabot, TrivyOn every PR + daily
SecretsCredentials in codeGitLeaks, TruffleHogPre-commit + CI
ContainerImage vulnerabilitiesTrivy, GrypeOn image build
DASTRuntime vulnerabilitiesOWASP ZAP, Burp SuiteIn staging

Principles

  • Automate everything possible
  • Fast feedback (don't block for days)
  • Shared responsibility (not just the security team)
  • Compliance as code

Why it matters

DevSecOps integrates security into every phase of the development cycle, not as a final review. When vulnerability scanning, static analysis, and security policies are part of the pipeline, issues are detected when they are cheap to fix.

References

  • OWASP DevSecOps Guideline — OWASP.
  • DevSecOps — Snyk — Snyk, 2024. Practical DevSecOps guide.
  • What is DevSecOps? — Red Hat, 2024. Introduction to DevSecOps.

Related content

  • DevOps

    Culture and set of practices that unify development (Dev) and operations (Ops) to deliver software with greater speed, quality, and reliability. It's not a role — it's a way of working.

  • CI/CD

    Continuous Integration and Continuous Delivery/Deployment — practices that automate code integration, testing, and delivery to production. Foundation of modern software engineering.

  • Supply Chain Security

    Practices for ensuring the integrity and security of all dependencies, tools, and processes comprising the software development pipeline.

  • Vulnerability Scanning

    Automated process of identifying known vulnerabilities in code, dependencies, containers, and infrastructure before they reach production.

  • Secure Coding

    Development practices preventing security vulnerabilities from design, including input validation, error handling, and defense-in-depth principles.

  • Container Security

    Practices and tools for securing containers throughout their lifecycle: image building, runtime, orchestration, and compliance.

Concepts