Compliance in DevSecOps
Controls built into the pipeline and platform.
Compliance as code reaches its full potential when it stops being a separate function and becomes part of how software is built and run. Embedding compliance in DevSecOps means controls live as automated gates in the pipeline and platform, evaluated continuously, owned by engineering — the synthesis of everything in this course and the curriculum.
Compliance built in, not bolted on
In a mature organization, compliance is not a late gate a separate team applies before release — it is woven into the delivery system. IaC compliance gates run in CI, admission policy enforces at deploy, posture management and drift detection watch runtime, and every one of these produces evidence mapped to controls. Developers experience compliance as ordinary failing checks they fix like any test, not as a bureaucratic review that blocks them at the end. This is the DevSecOps principle applied to compliance: shift it left, automate it, and make it continuous, so meeting a framework is a byproduct of good engineering rather than a parallel project.
# code → CI ──────────────→ deploy ────────────→ runtime# IaC gates (Checkov) admission (Gatekeeper) Config/CSPM + drift# Conftest policies signed-image verify continuous evaluation# │ │ │# └──────── each step emits evidence mapped to controls ────────┘## Compliance is a property of the pipeline + platform — not a final review.
The unifying loop
Everything in this course composes into one system. Frameworks reduce to controls; controls are written as tested policy; policy enforces in CI, at admission, and at runtime; enforcement produces continuous, tamper-evident, mapped evidence; drift and posture catch regressions; remediation closes gaps and guardrails prevent recurrence; and inheritance plus secure-by-default provisioning make it scale. The enforcement and the evidence are the same automated artifacts, so a well-engineered platform is a compliant one, and audit readiness is continuous. That is the essence of compliance as code — not paperwork about controls, but controls that enforce and evidence themselves, embedded in how you build and operate software. Done this way, compliance and security stop being in tension and become the same work.