DevSec Core

Master DevSecOps & secure delivery pipelines

Pipeline-first guides for developers, platform engineers, and security architects—why each CI/CD stage exists, what breaks without it, what attackers exploit, and how world-class teams ship software with security built in, not bolted on.

Browse all sections ↓ Why DevSecOps? Start with CI pipelines

What is DevSecOps? Dev + Sec + Ops, not DevOps + security team at the end

DevOps collapsed the wall between development and operations—automated builds, continuous integration, infrastructure as code. But security often stayed a separate gate at release time: scan in staging, block the deploy, developers bypass checks under deadline pressure, and vulnerabilities ship anyway.

The bolted-on security trap: security as last gate → release blocked → rushed hotfix → insecure workaround merged → audit finding six months later. The pipeline becomes adversarial instead of collaborative.

DevSecOps integrates security into every stage of the delivery lifecycle—IDE, commit, PR, build, test, deploy, operate. Think of a factory assembly line: catching a defective part at the loading dock costs pennies; shipping it to the customer costs millions. Shift-left moves security checks earlier where fixes are cheaper and feedback is faster.

Shift-left: security at every stage

Each leftward move catches defects earlier, cheaper, and with less context switching. Security gates at release alone cannot compensate for missing unit tests, unscanned dependencies, or hardcoded secrets in git history.

⚖️ Trade-off

Shift-left adds pipeline time upfront. The alternative—shift-right-only security—is cheaper per build but exponentially more expensive per incident. Elite teams treat pipeline minutes as insurance premiums, not tax.

🔒 Security

Attackers target the weakest link in the chain: leaked CI tokens, dependency confusion, unsigned container images, or Terraform state with plaintext secrets. DevSecOps closes each link systematically.

DevSecOps lifecycle

The infinite loop from planning to monitoring—with security integrated at every stage, not just Release. Orange stages highlight primary security touchpoints.

Plan Code Build Test Release Deploy Operate Monitor

↺ feedback to Plan — threat intel, incident learnings, dependency CVEs

Trigger

Lint & SAST

Build

Test

Scan & SBOM

Publish

Deploy

flowchart LR
  P[Plan] --> C[Code]
  C --> B[Build]
  B --> T[Test]
  T --> R[Release]
  R --> D[Deploy]
  D --> O[Operate]
  O --> M[Monitor]
  M --> P
  subgraph sec["Security integrated"]
    C
    T
    R
  end
📦 Real World

Google runs thousands of builds per day with hermetic, reproducible builds and signed provenance. Netflix uses Spinnaker with automated canaries and security gates tied to observability metrics. Financial institutions add CAB approval and segregation of duties—same lifecycle, stricter gates at Release.

DORA metrics DORA 2023

The four pillars of software delivery performance—how fast you ship, how reliably, and how quickly you recover. DevSecOps improves all four when security gates are automated, not manual bottlenecks.

Interactive DORA tier calculator

Elite

All four metrics at elite tier—world-class delivery performance with room to optimize security gate latency.

🎯 Interview Tip

When asked how DevSecOps affects DORA metrics: automated security gates reduce lead time vs manual review, lower change failure rate via shift-left catches, and fast rollback pipelines improve MTTR. Trade blocking gates vs warning gates explicitly.

DevSecOps ecosystem map

From git push to production observability—the toolchain layers every mature delivery pipeline composes. Purple = CI/CD core; orange = security & governance.

Source control

  • GitHub / GitLab — PR workflows, branch protection, CODEOWNERS
  • Bitbucket — Atlassian stack integration

CI platforms

  • GitHub Actions — native to GitHub, reusable workflows
  • GitLab CI — integrated registry, review apps
  • Jenkins / Tekton — enterprise & K8s-native runners

Build tools

  • Maven / Gradle / npm — language builds
  • Docker / Buildah — OCI image builds

Security scanning

  • Trivy / Snyk / Semgrep — SCA, container, SAST
  • SonarQube / CodeQL — code quality + security
  • Checkov / tfsec — IaC misconfiguration

Artifact registry

  • ECR / Harbor / Nexus — immutable artifacts
  • Artifactory / CodeArtifact — universal repos

IaC & GitOps

  • Terraform / Pulumi — infrastructure provisioning
  • ArgoCD / Flux — declarative deploy sync

Policy & secrets

  • OPA / Kyverno / Gatekeeper — policy as code
  • Vault / SSM / Sealed Secrets — secret lifecycle

Observability

  • Prometheus / Grafana / Datadog — metrics & APM
  • PagerDuty — incident response integration
💡 Pro Tip

Start with one CI platform, one scanner per category (SAST, SCA, container), and OIDC to cloud—no long-lived keys. Add policy engines after baseline scans are green.

Supply chain security SLSA v1.0 Sigstore

SolarWinds (2020), Log4Shell (2021), xz-utils (2024)—attackers target the pipeline itself. SBOM, provenance, and signing are the tamper-evident seals of modern delivery.

SLSA levels — click to explore requirements:

L1 Provenance generated
L2 Hosted build + signed provenance
L3 Hardened platform + non-falsifiable
L4 Two-person review + hermetic builds

Level 2 — Most teams target here: GitHub Actions OIDC → Sigstore keyless signing → cosign verify in admission controller. Provenance answers: who built this, from which commit, on which platform.

Click a stage to see attack vectors and mitigations:

Source git, deps Build CI runner Artifact image, jar Registry ECR, Harbor Deploy K8s, VM
Select a stage above. Source: typosquatting, malicious commits — mitigate with branch protection, signed commits, dependency pinning.
⚠️ Pitfall

Generating an SBOM but never scanning it, or signing images without verifying at deploy time, gives compliance theater—not supply chain security. Policy must enforce verify steps in the cluster admission path.

DevSecOps timeline

From Agile Infrastructure to supply chain executive orders—the path to security-as-code.

  1. 2009

    DevOps born

    Agile Infrastructure conference—development and operations collaboration, automated delivery foundations.

  2. 2012

    Continuous Delivery book

    Jez Humble & David Farley codify deployment pipelines, build once promote everywhere, fast feedback loops.

  3. 2014

    DevSecOps coined

    Security practitioners argue security must be embedded in DevOps workflows—not a separate silo at release.

  4. 2017

    GDPR & compliance pressure

    Regulatory mandates accelerate audit trails, access controls, and automated compliance evidence in pipelines.

  5. 2020

    SolarWinds supply chain attack

    Nation-state compromise of build pipeline—18,000 organizations affected. Supply chain security becomes C-level priority.

  6. 2021

    Log4Shell · SBOM executive order

    US EO 14028 mandates SBOM for federal software. Log4j CVE shows dependency visibility crisis at global scale.

  7. 2022

    SLSA v1.0 · Sigstore GA

    Google's SLSA framework matures. Sigstore provides free keyless signing infrastructure for open source and enterprises.

  8. 2023

    SLSA v1.0 formal release

    CNCF adopts SLSA. GitHub native build provenance reaches millions of repositories.

  9. 2024

    xz-utils supply chain attack

    Malicious maintainer backdoor in ubiquitous compression library—renewed urgency for maintainer trust and SBOM monitoring.

Pipeline-first: dual-platform YAML

Every chapter shows GitHub Actions and GitLab CI side-by-side. Toggle persists across the guide via localStorage.

Platform
.github/workflows/ci.yml 
name: CI
on:
  pull_request:
  push:
    branches: [main]
permissions:
  contents: read
  id-token: write
jobs:
  build-test-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Unit tests
        run: npm ci && npm test
      - name: SAST
        run: semgrep scan --config=auto --sarif > semgrep.sarif
      - name: Container scan
        run: |
          docker build -t app:${{ github.sha }} .
          trivy image --exit-code 1 --severity CRITICAL,HIGH app:${{ github.sha }}
.gitlab-ci.yml 
stages: [test, scan, build]

unit-tests:
  stage: test
  script:
    - npm ci
    - npm test
  artifacts:
    reports:
      junit: junit.xml

sast:
  stage: scan
  script:
    - semgrep scan --config=auto --sarif > gl-sast-report.sarif
  artifacts:
    reports:
      sast: gl-sast-report.sarif

container-scan:
  stage: scan
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - trivy image --exit-code 1 --severity CRITICAL,HIGH $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
🔬 Under the Hood

GitHub Actions runners are ephemeral VMs that clone your repo, execute steps, then destroy the environment. GitLab runners poll for jobs (shell, Docker, or K8s executor). Both support OIDC for short-lived cloud credentials— no AWS keys stored in CI variables.

Explore the guide — all sections

Twelve deep-dive chapters plus cheat sheets. Recommended path: Source ControlCI PipelinesSecurity ScanningSecrets, then deployment and IaC as your role requires.

Learning path: Source Control · CI Pipelines · Security Scanning · Secrets · Deployment

Developer

developer

Git workflows, conventional commits, pre-commit hooks, fixing failing builds, understanding why security gates block PRs, feature flags.

DevOps / Platform Engineer

devops

Pipeline design, runners, caching, reusable templates, OIDC, artifact registries, GitOps promotion, environment management.

Security Engineer / Architect

security

Threat modeling pipelines, SLSA/SBOM/signing, policy as code, SAST/DAST/SCA strategy, compliance automation, zero-trust CI access.