DevSecOps Complete Guide: Security in CI/CD Pipelines 2024

Key Takeaways

Shift left: Find security issues early
Automate: Security checks in every build
SAST + SCA + DAST = comprehensive coverage
Developer experience matters for adoption

1. What is DevSecOps?
2. SAST (Static Analysis)
3. SCA (Dependencies)
4. DAST (Dynamic Testing)
5. Container Security
6. Infrastructure as Code
7. Secrets Management
8. Sample Pipeline

1. What is DevSecOps?

DevSecOps integrates security practices into the DevOps workflow. Instead of security being a gate at the end, it's embedded throughout development, from commit to production.

Security Testing Types

SAST: Static Application Security Testing (code analysis)
SCA: Software Composition Analysis (dependencies)
DAST: Dynamic Application Security Testing (runtime)
IAST: Interactive Testing (agent-based)

2. SAST (Static Analysis)

Static Code Analysis

# Semgrep (open-source, fast)
semgrep --config=auto /path/to/code

# CodeQL (GitHub)
codeql database create --language=javascript
codeql analyze

# SonarQube
sonar-scanner -Dsonar.projectKey=myproject

# Integration in GitHub Actions
- uses: returntocorp/semgrep-action@v1
  with:
    config: auto

3. SCA (Dependency Scanning)

# npm audit
npm audit
npm audit fix

# Snyk
snyk test
snyk monitor  # Continuous monitoring

# OWASP Dependency-Check
dependency-check --project "MyApp" --scan ./

# Trivy (dependencies + more)
trivy fs --security-checks vuln ./

# GitHub Dependabot
# Automatic PRs for vulnerable dependencies

4. DAST (Dynamic Testing)

# OWASP ZAP
zap-cli quick-scan --self-contained --spider -r https://target.com
zap-cli alerts -l High

# Nuclei
nuclei -u https://target.com -t cves/

# In CI/CD (containerized)
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://target.com

5. Container Security

# Trivy - container scanning
trivy image myapp:latest
trivy image --severity HIGH,CRITICAL myapp:latest

# Dockerfile linting
hadolint Dockerfile

# Grype
grype myapp:latest

# GitHub Actions example
- name: Scan container
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:latest'
    exit-code: '1'
    severity: 'HIGH,CRITICAL'

6. Infrastructure as Code Security

# Terraform scanning
tfsec /path/to/terraform
checkov -d /path/to/terraform

# CloudFormation
cfn_nag_scan --input-path template.yaml

# Kubernetes manifests
kubesec scan deployment.yaml
kube-score score deployment.yaml

7. Secrets Management

# Pre-commit scanning
# Gitleaks
gitleaks detect --source /path/to/repo

# TruffleHog
trufflehog git file://./repo --only-verified

# Pre-commit hook
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

# Secrets management
# HashiCorp Vault, AWS Secrets Manager
# Avoid hardcoded secrets!

8. Complete Pipeline Example

# GitHub Actions DevSecOps Pipeline
name: Security Pipeline

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      # SAST
      - name: Semgrep
        uses: returntocorp/semgrep-action@v1
        
      # Secrets scanning
      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
        
      # SCA
      - name: Snyk
        uses: snyk/actions/node@master
        
      # Container scanning
      - name: Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'

FAQ

How do we handle false positives?

Tune rules, create suppressions for verified false positives, and invest in triaging. Too many false positives erodes developer trust.

Container Security API Security Secure Coding