Table of Contents
What is DevSecOps? Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Software Composition Analysis (SCA) Secrets Management Container Security Pipeline HardeningWhat is DevSecOps?
DevSecOps integrates security practices into every phase of the software development lifecycle, from planning to deployment. Security becomes a shared responsibility, not a gate at the end.
Shift Left Security
Finding and fixing vulnerabilities earlier in the development cycle is 10-100x cheaper than fixing them in production.
Static Application Security Testing (SAST)
SAST analyzes source code for vulnerabilities without executing the application.
# GitHub Actions - SAST with CodeQL
name: CodeQL Analysis
on: [push, pull_request]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript, python
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2Popular SAST Tools
- Free: CodeQL, Semgrep, Bandit (Python), ESLint
- Commercial: Checkmarx, Fortify, Snyk Code
Dynamic Application Security Testing (DAST)
DAST tests running applications from the outside, simulating real attacks.
# OWASP ZAP in CI/CD
docker run -t owasp/zap2docker-stable zap-baseline.py \
-t https://staging.example.com \
-r report.htmlSoftware Composition Analysis (SCA)
SCA identifies vulnerabilities in third-party dependencies.
# Check dependencies for vulnerabilities
npm audit
pip-audit
snyk test
trivy fs .Secrets Management
Never commit secrets to repositories. Use proper secrets management:
# Pre-commit hook to detect secrets
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']Secrets Management Solutions
- HashiCorp Vault: Enterprise secrets management
- AWS Secrets Manager: AWS-native solution
- Azure Key Vault: Azure-native solution
- GitHub Actions Secrets: CI/CD secrets
Container Security
# Scan container images for vulnerabilities
trivy image myapp:latest
# Dockerfile security
# Use minimal base images
FROM gcr.io/distroless/nodejs18-debian11
# Don't run as root
USER nonroot
# Scan at build time
docker scout cves myapp:latestPipeline Hardening
- Require signed commits
- Branch protection rules
- Required code reviews
- Immutable build artifacts
- SLSA compliance
Last updated: December 2024