A penetration test uncovered vulnerabilities that had been in the code for months. A “security review” once a quarter isn’t enough. DevSecOps integrates security into every commit.
Security in the CI/CD Pipeline¶
Each pipeline stage adds a security check:
- Pre-commit: secrets detection (git-secrets, detect-secrets)
- Build: SAST — SonarQube, Checkmarx for static code analysis
- Dependencies: OWASP Dependency-Check, Snyk for known vulnerabilities
- Docker: Trivy, Clair for image scanning
- Deploy: OPA/Gatekeeper for policy enforcement
- Runtime: DAST — OWASP ZAP for dynamic testing
Trivy — Image Scanning That Works¶
$ trivy image registry.core.cz/api-server:latest
api-server:latest
Total: 12 (CRITICAL: 2, HIGH: 3, MEDIUM: 5, LOW: 2)
CVE-2019-5736 CRITICAL runc < 1.0-rc6
CVE-2019-3462 CRITICAL apt < 1.4.9
Trivy is fast, simple, and has a good CVE database. We integrated it into the Jenkins pipeline — the build fails on CRITICAL vulnerabilities.
Compliance as Code¶
OPA (Open Policy Agent) with Gatekeeper in Kubernetes: no containers as root, no privileged mode, mandatory resource limits, mandatory labels. Policies defined in Rego, enforced at the API server level.
Cultural Change¶
The most important thing: security isn’t just the security team’s responsibility. Developers get feedback about vulnerabilities directly in PRs. Security training is part of onboarding.
Shift Left — Security from the First Line¶
The earlier you find a vulnerability, the cheaper it is to fix. DevSecOps isn’t extra work — it’s an investment that saves time and money.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us