DevSecOps

What You Will Learn

  • What DevSecOps is and how it differs from traditional security
  • Where security fits into the CI/CD pipeline
  • The main security tools used in DevSecOps
  • How to shift security left in software development

What Is It?

DevSecOps stands for Development, Security, and Operations. It is the practice of incorporating security into every stage of the software development lifecycle (SDLC) — not just at the end before release.

Traditional security checked software after it was built. DevSecOps moves security earlier (“shift left”) so that vulnerabilities are found and fixed cheaply, before they reach production.

Why It Matters

  • A bug found in development costs $80 to fix
  • The same bug found in production can cost $7,500+
  • DevSecOps makes security automatic, fast, and repeatable
  • Modern organizations ship hundreds of times per day — manual security review does not scale

Key Concepts

The CI/CD Pipeline

Code → Commit → Build → Test → Deploy → Monitor
         ↑          ↑       ↑      ↑         ↑
       SAST        SCA    DAST  Container   Runtime

SAST (Static Application Security Testing)

SAST scans source code without running it. It finds vulnerabilities like SQL injection, XSS, and insecure functions early.

# Semgrep — fast static analysis
semgrep --config "p/owasp-top-ten" ./src/

# Bandit — Python security linter
bandit -r ./myapp/

# Checkov — Infrastructure as Code scanning
checkov -d ./terraform/

SCA (Software Composition Analysis)

SCA checks your third-party dependencies for known CVEs.

# npm audit — check Node.js packages
npm audit

# Safety — check Python packages
safety check

# Trivy — scan container images and filesystem
trivy image myapp:latest
trivy fs ./

DAST (Dynamic Application Security Testing)

DAST tests a running application from the outside, like an attacker would.

# OWASP ZAP — automated web scanner
zap-cli quick-scan --self-contained https://staging.example.com

# Nikto — web server scanner
nikto -h https://staging.example.com

Secrets Scanning

Catch hardcoded API keys and passwords before they reach source control.

# TruffleHog — scan git history for secrets
trufflehog git https://github.com/org/repo

# GitLeaks — fast secrets scanner
gitleaks detect --source .

Container Security

# Scan a Docker image for vulnerabilities
trivy image python:3.11

# Check Dockerfile for issues
hadolint Dockerfile

# Run container with minimal privileges
docker run --read-only --user 1000 --no-new-privileges myapp

Example GitHub Actions Pipeline

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Semgrep
        uses: semgrep/semgrep-action@v1
        with:
          config: p/owasp-top-ten
          
      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          
      - name: Check for secrets
        uses: gitleaks/gitleaks-action@v2

Resources


This site uses Just the Docs, a documentation theme for Jekyll.