DevSecOps Foundations
The DevSecOps Pipeline Architecture
A DevSecOps pipeline integrates security checks at every stage—from code commit to production monitoring. This lesson maps out the complete architecture.
The Complete Pipeline
┌─────────────────────────────────────────────────────────────────────┐
│ DevSecOps Pipeline │
├────────┬────────┬────────┬────────┬────────┬────────┬──────────────┤
│ Plan │ Code │ Build │ Test │ Release│ Deploy │ Operate │
├────────┼────────┼────────┼────────┼────────┼────────┼──────────────┤
│Threat │Pre- │SAST │DAST │Image │Config │Runtime │
│Model │commit │SCA │IAST │Signing │Audit │Protection │
│ │Hooks │License │Pen Test│ │Secrets │SIEM │
│ │IDE Sec │ │ │ │Verify │Monitoring │
└────────┴────────┴────────┴────────┴────────┴────────┴──────────────┘
Stage-by-Stage Security
1. Plan Phase
Security starts before code is written:
- Threat Modeling: Identify attack surfaces (STRIDE, PASTA frameworks)
- Security Requirements: Define security acceptance criteria
- Architecture Review: Validate design decisions
2. Code Phase
Security as developers write code:
# Pre-commit hooks configuration
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
- repo: https://github.com/hadolint/hadolint
rev: v2.12.0
hooks:
- id: hadolint
Tools: detect-secrets, git-secrets, Semgrep, SonarLint
3. Build Phase
Security during compilation and packaging:
# GitHub Actions - Build with Security
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# SAST - Static Analysis
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: p/security-audit p/secrets
# SCA - Dependency Scanning
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Build artifact
- name: Build
run: npm run build
Tools: Semgrep, CodeQL, Snyk, Trivy, OWASP Dependency-Check
4. Test Phase
Dynamic security testing:
# DAST in staging environment
dast:
runs-on: ubuntu-latest
needs: deploy-staging
steps:
- name: OWASP ZAP Scan
uses: zaproxy/action-baseline@v0.10.0
with:
target: 'https://staging.example.com'
rules_file_name: '.zap/rules.tsv'
Tools: OWASP ZAP, Nuclei, Burp Suite, OWASP Juice Shop (training)
5. Release Phase
Security before production:
# Container image signing
release:
steps:
- name: Sign Image with Cosign
run: |
cosign sign --key cosign.key \
${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
- name: Verify Image
run: |
cosign verify --key cosign.pub \
${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
Tools: Cosign, Notary, Harbor (registry with scanning)
6. Deploy Phase
Security during deployment:
# Kubernetes admission control
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: security-webhook
webhooks:
- name: validate.security.io
rules:
- operations: ["CREATE", "UPDATE"]
resources: ["pods", "deployments"]
Tools: OPA Gatekeeper, Kyverno, Vault (secrets injection)
7. Operate Phase
Continuous security monitoring:
# Falco runtime security rules
- rule: Detect Crypto Mining
condition: >
spawned_process and
proc.name in (crypto_mining_binaries)
output: "Crypto mining detected (user=%user.name command=%proc.cmdline)"
priority: CRITICAL
Tools: Falco, Sysdig, Datadog Security Monitoring
Security Gates: Pass/Fail Criteria
# Example security gate configuration
security-gates:
sast:
critical: 0 # Zero critical = must pass
high: 5 # Max 5 high severity
block_on_fail: true
sca:
critical: 0
high: 10
license_block: ["GPL-3.0", "AGPL"] # Block copyleft
dast:
critical: 0
high: 3
block_on_fail: true
secrets:
detected: 0 # Zero secrets allowed
block_on_fail: true
Feedback Loops
The fastest feedback wins:
| Stage | Feedback Time | Developer Action |
|---|---|---|
| IDE | Instant | Fix while coding |
| Pre-commit | Seconds | Fix before commit |
| PR checks | Minutes | Fix before merge |
| Nightly scan | Hours | Fix next day |
| Pen test | Weeks | Fix eventually |
In the next module, we'll dive deep into SAST—the first line of automated defense. :::