Tools

Tools: Latest: DevSecOps Pipeline in a Day: Automated Security from Commit to Deploy

2026-05-12 0 views admin
Tools: Latest: DevSecOps Pipeline in a Day: Automated Security from Commit to Deploy

The DevSecOps Security Layer Model Where Each Check Lives

The Six-Layer Model

Why Layering Matters

Layer 1: Pre-Commit Hooks — detect-secrets and git-secrets Setup

Layer 2: SAST in CI — Semgrep for Application Code

Layer 3: SCA — OWASP Dependency-Check and Trivy for Dependencies

Layer 4: Container Image Scanning — Trivy in Your Docker Build Pipeline

Layer 5: IaC Security Scanning — Checkov on Every Terraform Plan

Layer 6: DAST — OWASP ZAP Against Your Staging Environment

SLA Policies: How to Treat CRITICAL vs HIGH vs MEDIUM Findings

Full GitHub Actions DevSecOps Workflow

Common DevSecOps Mistakes Security that happens after deployment is already too late. By the time a quarterly penetration test discovers hardcoded secrets, vulnerable containers, or publicly exposed infrastructure, the vulnerable code has usually been in production for months. Sometimes years. The remediation backlog grows. Developers lose context. Security becomes bureaucratic archaeology rather than operational engineering. DevSecOps changes the timing. Instead of treating security as a gate at the end of delivery, it embeds security checks throughout the software lifecycle. Every stage becomes an opportunity to reduce risk automatically. This tutorial builds a complete open-source DevSecOps pipeline in a single day: No enterprise security platform required. Security works best when distributed. Each security control belongs at the earliest operational layer where it can execute effectively. Every layer catches different failure modes. No single scanner catches everything. Security becomes resilient through redundancy. The cheapest vulnerability to fix is the one that never enters Git history. Installing Pre-Commit Framework detect-secrets Configuration git-secrets for AWS Credentials This prevents catastrophic credential leakage before CI even starts. Why Pre-Commit Security Matters Secrets committed once often persist forever in Git history. Prevention beats remediation. Static Application Security Testing identifies insecure coding patterns before deployment. Semgrep is exceptionally effective because it balances signal quality with developer usability. GitHub Actions SAST Workflow Example Vulnerability Detection Custom Security Rules Production environments eventually require organisation-specific rules. Why SAST Must Run on Every PR Security reviews delayed until release branches create vulnerability bottlenecks. Fast feedback changes behaviour. Delayed feedback creates resentment. Modern applications inherit more code than they write. Dependency vulnerabilities therefore matter enormously. OWASP Dependency-Check Trivy Dependency Scan Dependency Update Automation Use Renovate or Dependabot Automation reduces vulnerability half-life dramatically. Containers frequently contain: Scanning them is mandatory. Build and Scan Workflow Example Container Findings Distroless Images Reduce Attack Surface Smaller images. Fewer packages. Fewer CVEs. Infrastructure misconfigurations cause some of the most damaging cloud breaches. IaC scanning catches them before deployment. Checkov GitHub Action Example Terraform Misconfiguration Recommended IaC Policies DAST validates runtime behaviour. Unlike SAST, it tests deployed applications directly. OWASP ZAP Docker Scan CI Integration Example Vulnerabilities DAST Finds Well Why DAST Complements SAST Centralising Findings in Defect Dojo Without centralisation, findings scatter across tools and become operational noise. Defect Dojo consolidates: Importing Scan Results Why Centralisation Matters Security programmes fail when visibility fragments. One dashboard changes operational behaviour. Not all vulnerabilities deserve identical urgency. Recommended SLA Model CI Enforcement Strategy Security governance must remain operationally realistic. Overly aggressive policies create bypass behaviour. Measuring DevSecOps Effectiveness Mean Time to Remediation Security programmes require measurable outcomes. Core Metrics

Mean Time to Remediation (MTTR) Vulnerability Escape Rate How many vulnerabilities reach production? If scanners create excessive noise Signal quality matters enormously. 1. Blocking Everything Immediately Teams bypass pipelines if friction becomes unbearable. 2. Ignoring False Positives Poor signal quality destroys developer trust. 3. Treating Security as Separate from Engineering Security tooling must integrate into existing workflows. Not create parallel ones. 4. No Ownership Model Findings without owners become backlog sediment. DevSecOps is not about inserting security gates into delivery pipelines. It is about making security part of normal engineering behaviour. The most successful DevSecOps environments share several characteristics: Security stops being ceremonial compliance theatre and becomes operational engineering. And that is the critical shift. Because modern software delivery moves too quickly for security reviews performed weeks after deployment. The only scalable model is continuous security at continuous delivery speed. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

Commit → Build → Test → Scan → Deploy → Monitor Commit → Build → Test → Scan → Deploy → Monitor Commit → Build → Test → Scan → Deploy → Monitor Layer 1 → Developer workstation Layer 2 → Pull request pipeline Layer 3 → Dependency validation Layer 4 → Container security Layer 5 → Infrastructure-as-Code validation Layer 6 → Runtime application testing Layer 1 → Developer workstation Layer 2 → Pull request pipeline Layer 3 → Dependency validation Layer 4 → Container security Layer 5 → Infrastructure-as-Code validation Layer 6 → Runtime application testing Layer 1 → Developer workstation Layer 2 → Pull request pipeline Layer 3 → Dependency validation Layer 4 → Container security Layer 5 → Infrastructure-as-Code validation Layer 6 → Runtime application testing pip install pre-commit pip install pre-commit pip install pre-commit repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets pre-commit install pre-commit install pre-commit install git secrets --install git secrets --register-aws git secrets --install git secrets --register-aws git secrets --install git secrets --register-aws AWS_SECRET_ACCESS_KEY detected Commit rejected AWS_SECRET_ACCESS_KEY detected Commit rejected AWS_SECRET_ACCESS_KEY detected Commit rejected sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep SAST uses: returntocorp/semgrep-action@v1 with: config: "p/owasp-top-ten p/python p/javascript" sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep SAST uses: returntocorp/semgrep-action@v1 with: config: "p/owasp-top-ten p/python p/javascript" sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep SAST uses: returntocorp/semgrep-action@v1 with: config: "p/owasp-top-ten p/python p/javascript" query = f"SELECT * FROM users WHERE id = {user_input}" query = f"SELECT * FROM users WHERE id = {user_input}" query = f"SELECT * FROM users WHERE id = {user_input}" Possible SQL injection vulnerability Possible SQL injection vulnerability Possible SQL injection vulnerability rules: - id: no-public-s3 pattern: '"public-read"' message: Public S3 ACL forbidden severity: ERROR rules: - id: no-public-s3 pattern: '"public-read"' message: Public S3 ACL forbidden severity: ERROR rules: - id: no-public-s3 pattern: '"public-read"' message: Public S3 ACL forbidden severity: ERROR dependency-check.sh \ --project app \ --scan . dependency-check.sh \ --project app \ --scan . dependency-check.sh \ --project app \ --scan . Critical vulnerability: log4j-core 2.14.1 CVE-2021-44228 Critical vulnerability: log4j-core 2.14.1 CVE-2021-44228 Critical vulnerability: log4j-core 2.14.1 CVE-2021-44228 version: 2 updates: - package-ecosystem: npm schedule: interval: daily version: 2 updates: - package-ecosystem: npm schedule: interval: daily version: 2 updates: - package-ecosystem: npm schedule: interval: daily container-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build image run: docker build -t app:${{ github.sha }} . - name: Trivy vulnerability scan uses: aquasecurity/trivy-action@master with: image-ref: app:${{ github.sha }} exit-code: '1' severity: 'CRITICAL,HIGH' container-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build image run: docker build -t app:${{ github.sha }} . - name: Trivy vulnerability scan uses: aquasecurity/trivy-action@master with: image-ref: app:${{ github.sha }} exit-code: '1' severity: 'CRITICAL,HIGH' container-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build image run: docker build -t app:${{ github.sha }} . - name: Trivy vulnerability scan uses: aquasecurity/trivy-action@master with: image-ref: app:${{ github.sha }} exit-code: '1' severity: 'CRITICAL,HIGH' openssl package vulnerable Severity: HIGH openssl package vulnerable Severity: HIGH openssl package vulnerable Severity: HIGH FROM ubuntu:22.04 FROM ubuntu:22.04 FROM ubuntu:22.04 FROM gcr.io/distroless/static FROM gcr.io/distroless/static FROM gcr.io/distroless/static iac-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Checkov IaC scan uses: bridgecrewio/checkov-action@master with: directory: terraform/ framework: terraform iac-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Checkov IaC scan uses: bridgecrewio/checkov-action@master with: directory: terraform/ framework: terraform iac-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Checkov IaC scan uses: bridgecrewio/checkov-action@master with: directory: terraform/ framework: terraform resource "aws_security_group" "bad" { ingress { cidr_blocks = ["0.0.0.0/0"] } } resource "aws_security_group" "bad" { ingress { cidr_blocks = ["0.0.0.0/0"] } } resource "aws_security_group" "bad" { ingress { cidr_blocks = ["0.0.0.0/0"] } } Security group allows unrestricted ingress Security group allows unrestricted ingress Security group allows unrestricted ingress docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com - name: ZAP Scan run: | docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com - name: ZAP Scan run: | docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com - name: ZAP Scan run: | docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com helm install defectdojo defectdojo/defectdojo helm install defectdojo defectdojo/defectdojo helm install defectdojo defectdojo/defectdojo curl -X POST https://dojo/api/v2/import-scan/ curl -X POST https://dojo/api/v2/import-scan/ curl -X POST https://dojo/api/v2/import-scan/ CRITICAL → Block merge HIGH → Fail release MEDIUM → Warn only CRITICAL → Block merge HIGH → Fail release MEDIUM → Warn only CRITICAL → Block merge HIGH → Fail release MEDIUM → Warn only Discovery → Remediation Discovery → Remediation Discovery → Remediation Developers stop trusting alerts Developers stop trusting alerts Developers stop trusting alerts name: DevSecOps Pipeline on: [push, pull_request] jobs: secrets-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: TruffleHog uses: trufflesecurity/trufflehog@main sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep uses: returntocorp/semgrep-action@v1 dependency-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Trivy FS Scan run: trivy fs . container-scan: runs-on: ubuntu-latest steps: - run: docker build -t app:${{ github.sha }} . - name: Trivy Image Scan run: trivy image app:${{ github.sha }} iac-scan: runs-on: ubuntu-latest steps: - name: Checkov uses: bridgecrewio/checkov-action@master dast: runs-on: ubuntu-latest steps: - name: OWASP ZAP run: | docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com name: DevSecOps Pipeline on: [push, pull_request] jobs: secrets-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: TruffleHog uses: trufflesecurity/trufflehog@main sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep uses: returntocorp/semgrep-action@v1 dependency-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Trivy FS Scan run: trivy fs . container-scan: runs-on: ubuntu-latest steps: - run: docker build -t app:${{ github.sha }} . - name: Trivy Image Scan run: trivy image app:${{ github.sha }} iac-scan: runs-on: ubuntu-latest steps: - name: Checkov uses: bridgecrewio/checkov-action@master dast: runs-on: ubuntu-latest steps: - name: OWASP ZAP run: | docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com name: DevSecOps Pipeline on: [push, pull_request] jobs: secrets-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: TruffleHog uses: trufflesecurity/trufflehog@main sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep uses: returntocorp/semgrep-action@v1 dependency-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Trivy FS Scan run: trivy fs . container-scan: runs-on: ubuntu-latest steps: - run: docker build -t app:${{ github.sha }} . - name: Trivy Image Scan run: trivy image app:${{ github.sha }} iac-scan: runs-on: ubuntu-latest steps: - name: Checkov uses: bridgecrewio/checkov-action@master dast: runs-on: ubuntu-latest steps: - name: OWASP ZAP run: | docker run -t owasp/zap2docker-stable \ zap-baseline.py \ -t https://staging.example.com - Secret detection before commits - SAST on every pull request - Dependency vulnerability scanning - Container image scanning - Terraform and Kubernetes IaC scanning - DAST against staging environments - Centralised vulnerability reporting - Security SLA policies - Vulnerable OS packages - Unpatched libraries - Misconfigurations - Embedded secrets - Public S3 buckets - Open security groups - Unencrypted databases - Unencrypted EBS volumes - Wildcard IAM policies - Missing headers - Insecure cookies - Open redirects - Authentication weaknesses - SAST results - Dependency scans - Container findings - DAST reports Defect Dojo Deployment - Repositories scanned - Terraform coverage - Container coverage - Dependency scan adoption - Fast feedback - Automated enforcement - Low-friction tooling - Developer-visible results - Incremental adoption

🏷️ Tags

toolsutilitiessecurity toolslatestdevsecopspipelineautomatedsecuritycommitdeploy

More from Tools

Tools: Why Your Code Breaks in Production (and How Docker Fixes It) - Full Analysis

Tools: Why Your Code Breaks in Production (and How Docker Fixes It) - Full Analysis

2026-05-12 0
Tools: I Built the Same AI Pipeline in Zapier, Make, and n8n - Here’s Where They Broke

Tools: I Built the Same AI Pipeline in Zapier, Make, and n8n - Here’s Where They Broke

2026-05-12 0
Tools: Complete Guide to Linux Essentials

Tools: Complete Guide to Linux Essentials

2026-05-12 0
Tools: Your AI Just Said “I Can’t do that Dave.” (2026)

Tools: Your AI Just Said “I Can’t do that Dave.” (2026)

2026-05-12 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views