DevSecOps
Integration of security practices throughout the software development lifecycle, automating security controls in the CI/CD pipeline.
seed#devsecops#security#shift-left#automation#ci-cd#compliance
What it is
DevSecOps integrates security as part of the development process, not as a gate at the end. "Shift left" means moving security controls as early as possible in the development cycle.
Security at each stage
| Stage | Controls |
|---|---|
| Code | SAST, secrets scanning, dependency check |
| Build | Container scanning, SBOM |
| Test | DAST, penetration testing |
| Deploy | Policy as code, admission control |
| Runtime | WAF, anomaly detection, RASP |
Tools
| Category | What it detects | Tools | When to run |
|---|---|---|---|
| SAST | Source code vulnerabilities | Semgrep, SonarQube, CodeQL | On every PR |
| SCA | Vulnerable dependencies | Snyk, Dependabot, Trivy | On every PR + daily |
| Secrets | Credentials in code | GitLeaks, TruffleHog | Pre-commit + CI |
| Container | Image vulnerabilities | Trivy, Grype | On image build |
| DAST | Runtime vulnerabilities | OWASP ZAP, Burp Suite | In staging |
Principles
- Automate everything possible
- Fast feedback (don't block for days)
- Shared responsibility (not just the security team)
- Compliance as code
Why it matters
DevSecOps integrates security into every phase of the development cycle, not as a final review. When vulnerability scanning, static analysis, and security policies are part of the pipeline, issues are detected when they are cheap to fix.
References
- OWASP DevSecOps Guideline — OWASP.
- DevSecOps — Snyk — Snyk, 2024. Practical DevSecOps guide.
- What is DevSecOps? — Red Hat, 2024. Introduction to DevSecOps.