DevSecOps: Security as Code, Not an Afterthought

The old model: build it, then have security audit it. The new model: security is everyone's job, every commit.

The Pipeline Architecture

# .gitlab-ci.yml
stages:
  - build
  - sast
  - container-scan
  - dast
  - deploy
sast:

  stage: sast

  include:

    - template: Security/SAST.gitlab-ci.yml

  variables:

    SASTEXCLUDEDPATHS: 'node_modules, vendor'
container-scan:

  stage: container-scan

  image: docker:stable

  services:

    - docker:dind

  script:

    - docker build -t app:latest .

    - docker run --rm aquasec/trivy app:latest

Shift Left Means Money Saved

Fixing a bug in development costs \$1. In testing: \$10. In production: \$100+. Shift security left.

Secret Management

Never commit secrets. Use HashiCorp Vault or AWS Secrets Manager. Period.