CoursesAzure DevOps Engineer ProfessionalSecure DevOps & observability

DevSecOps in the pipeline

Shift-left scanning; secure the pipeline.

Advanced30 min · lesson 13 of 15

DevSecOps integrates security into every stage of delivery rather than bolting it on at the end. For a DevOps engineer, this means building security controls into the pipeline as automated gates, so security keeps pace with fast, frequent deployment.

Shift security left into the pipeline

The core idea is shift-left: catch security issues early and cheaply in the pipeline instead of late in a separate review or in production. Layer scanning tools into CI — SAST for code vulnerabilities, dependency scanning for vulnerable packages, IaC scanning (Checkov/tfsec) for infrastructure misconfigurations, and container image scanning for CVEs — so each class of vulnerability is caught before deploy. Gate on the findings that matter: fail the build on serious, fixable issues, but avoid blocking on unactionable noise, or developers will disable the scanner. This makes security an automated, continuous part of delivery that every change passes through, rather than a bottleneck applied once at the end that slows everyone down and gets skipped under deadline pressure.

security gates in the pipeline
# Layer scans into CI — each catches a different class of issue:
steps:
- script: sast-scan . # code vulnerabilities (SAST)
- script: dependency-scan # vulnerable packages
- script: checkov -d infra/ # IaC misconfigurations
- script: trivy image $IMAGE # container CVEs
# Gate: fail on serious, FIXABLE findings; don't block on noise
# (a scanner that fails on everything gets disabled).

Secure the pipeline itself

The pipeline is high-value infrastructure and must be secured like production. Manage secrets properly — fetch from Key Vault via a service connection, never hardcode or log them — and prefer workload identity federation so the pipeline authenticates to Azure with short-lived tokens and no stored credential. Scope the pipeline’s identity to least privilege (only what the deploy needs, never Owner on the subscription), so a compromised pipeline has limited blast radius. Pin third-party pipeline tasks and dependencies, and run untrusted pull requests on isolated agents without production access. These practices defend against the supply-chain attacks that target CI/CD systems. Secure DevOps means both scanning the artifacts flowing through the pipeline and hardening the pipeline that moves them.

DevSecOps in the pipeline
scan the artifacts
SAST + dependency scan
code and package vulns
IaC + image scan
infra misconfig, container CVEs
secure the pipeline
secrets in Key Vault
identity federation, no stored creds
least-privilege identity
limit blast radius
Shift security left with scanning gates, and harden the pipeline itself — scan what flows through and secure what moves it.
An Owner-scoped pipeline identity is a cluster-wide risk
Giving a pipeline’s service connection Owner on the subscription means a compromised pipeline — or a malicious pull request run on it — can control everything. Scope the pipeline identity to exactly the resources the deployment touches, use workload identity federation instead of stored secrets, and never run untrusted PRs on an agent with production access.