Securing the DevSecOps Pipeline — DevSecOps Interactive Learning

Pipeline phases and security touchpoints

Each phase can emit evidence for compliance and quality gates. Amber border highlights phases with common automated security checks.

Plan

Threat model, abuse cases, secure requirements

Code

Pre-commit hooks, secrets scan, peer review + security checklist

Build

SAST, SCA, IaC scan, signed artifacts

Test

DAST, fuzzing, contract tests for authZ

Release

Policy gates, SBOM, change approval, vuln SLA

Deploy

Immutable infra, secrets from vault, config validation

Operate

Hardening baselines, patching, break-glass procedures

Monitor

SIEM, CSPM, runtime alerts, incident drills

Scroll horizontally on small screens to view all phases.

Static analysis on source or bytecode before execution. Catches injection patterns, weak crypto usage, and dangerous APIs early in CI.

Examples: Semgrep, SonarQube, Checkmarx, Fortify.

Black-box testing against a deployed environment. Finds misconfigurations, exposed admin panels, and runtime-only flaws.

Examples: OWASP ZAP, Burp Suite, stack-specific scanners.

Inventory third-party libraries and match against CVE/GHSA databases. Often combined with license policy.

Examples: Snyk, Mend, OWASP Dependency-Check, OSV.

Goal-oriented adversary simulation beyond tool signatures. Validates chains of vulnerabilities and detective controls.

Fit: Pre-release, major changes, or regulated cadence.

Phase	Typical gates	Artifact
Plan	Threat model sign-off	Diagram + risk register
Code	No secrets in diff	Hook logs
Build	SAST/SCA thresholds	SARIF, SBOM
Test	DAST baseline diff	Scan report, tickets
Release	Change record, approvals	Release notes, vuln exceptions
Deploy	IaC policy pass	Plan files, attestations
Monitor	Detection coverage	Alerts, MTTR metrics