DevSecOps 🔒
DevSecOps embeds security into the CI/CD pipeline rather than treating it as a post-deployment concern. This curriculum takes you from culture (Stage 0) through the scanners (Stage 1), build hardening (Stage 2), deploy gates (Stage 3), and runtime detection (Stage 4). 20 modules, ~400 lines each.
Curriculum Map
Stage 0 — Foundations Stage 1 — Code Stage 2 — Build
(M01–M04) (M05–M08) (M09–M11)
┌──────────┐ ┌──────────┐
M01 Mindset │ M05 SAST │ │ M09 Cnt │
M02 Threat Modeling │ M06 Secr │ │ M10 IaC │
M03 Secure SDLC │ M07 SCA │ │ M11 CI │
M04 Security Reqs │ M08 SBOM │ └──────────┘
└──────────┘
Stage 3 — Deploy
Stage 4 — Runtime (M12–M15)
(M16–M20) ┌──────────┐
┌──────────┐ │ M12 OIDC │
│ M16 SecM │ │ M13 Sign │
│ M17 Det │ │ M14 SLSA │
│ M18 Comp │ │ M15 PaC │
│ M19 IR │ └──────────┘
│ M20 CPS │
└──────────┘
Modules
Stage 0 — Foundations
- M01: DevSecOps Mindset & Principles
- M02: Threat Modeling for DevSecOps
- M03: Secure SDLC
- M04: Security Requirements & Acceptance Criteria
Stage 1 — Code
- M05: Static Analysis (SAST)
- M06: Secrets Detection & Prevention
- M07: SCA & Dependency Scanning
- M08: SBOM Generation & Consumption
Stage 2 — Build
- M09: Container Image Scanning & Hardening
- M10: Infrastructure-as-Code Security
- CD Pipeline Hardening
Stage 3 — Deploy
- M12: Pipeline Identity & OIDC
- M13: Artifact Signing
- M14: Supply Chain Attestations & SLSA
- M15: Policy-as-Code
Stage 4 — Runtime
- M16: Runtime Secret Management
- M17: Runtime Detection & Response
- M18: Compliance Evidence & Audit Trail
- M19: Incident Response in CI
- M20: Capstone — End-to-End Secure Pipeline
Stages
Core Principles
- Shift left — Catch vulnerabilities early in the development cycle
- Shift right — Catch what got through at runtime
- Automation — Security checks run automatically on every commit/PR
- Defense in depth — Multiple layers of security at each stage
- Continuous improvement — Every incident makes the pipeline stronger
Pipeline Security Layers
Code → SAST → Dependency Scan → Container Scan → Deploy → Runtime Detection
1. SAST (Static Application Security Testing)
Scan source code for vulnerabilities before build. Tools: Semgrep, SonarQube, CodeQL.
2. Secrets Detection
Prevent credentials from entering the repository. Tools: Gitleaks, Trufflehog.
3. Dependency Scanning (SCA)
Detect vulnerable dependencies (CVEs) in packages/libraries. Tools: Trivy, Snyk, Dependabot.
4. Container Image Scanning
Scan base images and built artifacts. Reject builds with critical CVEs. Tools: Trivy, Grype, Clair.
5. IaC Scanning
Catch misconfigurations in Terraform, CloudFormation, K8s manifests. Tools: Checkov, tfsec, Trivy IaC.
6. Policy-as-Code
Enforce organizational policies at deploy time. Tools: OPA, Kyverno, CEL.
7. Runtime Detection
Detect anomalous behavior in running workloads. Tools: Falco, Tetragon, Wazuh.
Supply Chain Security
- SBOM — Software Bill of Materials for dependency visibility
- Sigstore — Sign and verify container images / artifacts
- SLSA — Supply chain Levels for Software Artifacts
- VEX — Vulnerability Exploitability eXchange
Recommended Order
If you only have time for some modules, do these in order:
- M01 — culture and principles
- M02 — threat modeling in 30 minutes
- M06 — secrets prevention (the 4-minute window)
- M07 — SCA / dependency scanning
- M09 — container image hardening
- M11 — pipeline hardening
- M12 — OIDC federation
- M13 — artifact signing
- M15 — policy-as-code at admission
- M17 — runtime detection
- M20 — capstone
The other modules fill the gaps. The capstone is the integration.
Your Stack in This Wiki
| Component | Where it lives in this wiki |
|---|---|
| Trivy (container/SCA) | M07, M09 |
| Gitleaks (secrets) | M06 |
| Semgrep (SAST) | M05 |
| Checkov / tfsec (IaC) | M10 |
| Sigstore / cosign | M13 |
| OPA / Kyverno | M15 |
| Wazuh (SIEM) | README |
| Falco (runtime) | M17 |
Related
- DevOps — top-level DevOps hub
- Stage 0 README
- Stage 1 README
- Stage 2 README
- Stage 3 README
- Stage 4 README
- Security DevSecOps Hub
- Shift-Left Notes