DevSecOps in the pipeline
Shift-left scanning; secure the pipeline.
DevSecOps integrates security into every stage of delivery rather than bolting it on at the end. For a DevOps engineer, this means building security controls into the pipeline as automated gates, so security keeps pace with fast, frequent deployment.
Shift security left into the pipeline
The core idea is shift-left: catch security issues early and cheaply in the pipeline instead of late in a separate review or in production. Layer scanning tools into CI — SAST for code vulnerabilities, dependency scanning for vulnerable packages, IaC scanning (Checkov/tfsec) for infrastructure misconfigurations, and container image scanning for CVEs — so each class of vulnerability is caught before deploy. Gate on the findings that matter: fail the build on serious, fixable issues, but avoid blocking on unactionable noise, or developers will disable the scanner. This makes security an automated, continuous part of delivery that every change passes through, rather than a bottleneck applied once at the end that slows everyone down and gets skipped under deadline pressure.
# Layer scans into CI — each catches a different class of issue:steps:- script: sast-scan . # code vulnerabilities (SAST)- script: dependency-scan # vulnerable packages- script: checkov -d infra/ # IaC misconfigurations- script: trivy image $IMAGE # container CVEs# Gate: fail on serious, FIXABLE findings; don't block on noise# (a scanner that fails on everything gets disabled).
Secure the pipeline itself
The pipeline is high-value infrastructure and must be secured like production. Manage secrets properly — fetch from Key Vault via a service connection, never hardcode or log them — and prefer workload identity federation so the pipeline authenticates to Azure with short-lived tokens and no stored credential. Scope the pipeline’s identity to least privilege (only what the deploy needs, never Owner on the subscription), so a compromised pipeline has limited blast radius. Pin third-party pipeline tasks and dependencies, and run untrusted pull requests on isolated agents without production access. These practices defend against the supply-chain attacks that target CI/CD systems. Secure DevOps means both scanning the artifacts flowing through the pipeline and hardening the pipeline that moves them.