DevSecOps — Integrating Security into Modern CI/CD Pipelines

Posted on: 4/24/2026 5:22:56 PM

Table of contents

1. DevSecOps — When Security Stops Being "Someone Else's Job"
2. From "Shift Left" to "Shift Smart" — Evolving Security Thinking
3. SAST — Catching Security Bugs Directly in Source Code
1. 3.1 Popular SAST Tools Compared
2. 3.2 Integrating SAST with GitHub Actions
  1. Best practice: Only block PRs on high severity
4. SCA & SBOM — Managing Dependency Risk
5. Secrets Scanning — Preventing Credential Leaks
1. 5.1 Blocking Secrets at Pre-commit
2. 5.2 GitHub Secret Scanning & Push Protection
  1. Proper secrets management
6. DAST — Testing Security of Running Applications
1. 6.1 Popular DAST Tools
2. 6.2 OWASP ZAP in GitHub Actions
7. Container Security — From Base Image to Runtime
1. 7.1 Scanning Images in CI/CD
2. 7.2 Secure Dockerfile Practices
  1. Minimal base image principle
8. Supply Chain Security — Protecting the Entire Software Supply Chain
1. 8.1 SLSA Framework — Ensuring Artifact Integrity
2. 8.2 Signing and Verifying Artifacts
9. AI in DevSecOps — New Opportunities and Risks
1. 9.1 Securing AI-Generated Code
  1. Must validate AI-generated code
2. 9.2 AI-Powered Vulnerability Detection
10. Building a Comprehensive DevSecOps Pipeline
1. 10.1 Practical Adoption Roadmap
11. Measuring DevSecOps Effectiveness
1. Start with MTTR, not vulnerability count
12. Conclusion
References

1. DevSecOps — When Security Stops Being "Someone Else's Job"

In the traditional software development model, security was often a checkpoint at the end of the process — right before deploying to production. The security team would receive a near-complete build, scan for vulnerabilities, and return a long list of issues to fix. The result? Missed deadlines, developers having to revisit code written weeks ago, and many security flaws being "risk accepted" because the cost of fixing was too high.

DevSecOps flips this model: integrating security checks into every step of the CI/CD pipeline, from the moment a developer writes code in their IDE to when a container is deployed to production. In 2026, DevSecOps is no longer "nice-to-have" — it's baseline. According to GitLab's survey, 84% of organizations struggle with the cost and complexity of observability/security, while some organizations spend over $130,000/month on security tooling. DevSecOps addresses this by catching bugs early — when the cost of fixing is still low.

84%organizations struggle with security costs

6xcheaper to fix bugs in dev vs production

59%engineers report improved code quality with AI tools

80-90%telemetry volume reduction with smart filtering

2. From "Shift Left" to "Shift Smart" — Evolving Security Thinking

"Shift Left" — moving security checks earlier in the development timeline — has been a popular concept for years. But in 2026, the community has realized that just "shifting left" isn't enough. If you run 15 scanning tools on every commit, developers get flooded with alert noise, the pipeline slows down by 10 minutes per push, and everyone starts ignoring results — like the boy who cried wolf too many times.

"Shift Smart" is the next evolution: placing the right tool, at the right stage, with the right severity threshold. SAST runs on every PR but only blocks on Critical/High severity. DAST runs on staging before promoting to production. SCA scans dependencies daily but only alerts when there's a CVE with a public exploit. The result is a pipeline that's both fast and secure, where developers actually read the results instead of skipping them.

graph LR
    A["Developer IDE"] -->|SAST real-time| B["Pre-commit Hook"]
    B -->|Secrets scan| C["Pull Request"]
    C -->|SAST + SCA| D["CI Build"]
    D -->|Container scan| E["Staging"]
    E -->|DAST| F["Pre-production"]
    F -->|Compliance check| G["Production"]
    G -->|Runtime protection| H["Monitoring"]

    style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style C fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style D fill:#e94560,stroke:#fff,color:#fff
    style E fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style G fill:#4CAF50,stroke:#fff,color:#fff
    style H fill:#2c3e50,stroke:#fff,color:#fff

End-to-end DevSecOps pipeline: each stage has appropriate security tooling

3. SAST — Catching Security Bugs Directly in Source Code

Static Application Security Testing (SAST) analyzes source code without running the application. SAST tools read code, build an Abstract Syntax Tree (AST), and search for dangerous patterns: SQL injection, XSS, path traversal, insecure deserialization, hardcoded credentials...

SAST's strength is detecting bugs very early — right when the developer writes code. Many modern IDEs (VS Code, JetBrains) have integrated real-time SAST, highlighting security bugs like syntax errors. When running in CI, SAST scans the entire codebase and reports results on the PR.

3.1 Popular SAST Tools Compared

Tool	Languages Supported	CI/CD Integration	Free?	Key Strength
Semgrep	30+ languages	GitHub Actions, GitLab CI, Azure Pipelines	Community rules free	Custom rules via pattern matching, fast, easy rule authoring
CodeQL (GitHub)	C/C++, C#, Java, JS/TS, Python, Go, Ruby, Swift, Kotlin	GitHub Actions native	Free for public repos	Powerful query language, finds complex data-flow vulnerabilities
SonarQube	30+ languages	Any CI system	Community Edition free	Quality gate + security, integrates code smell detection
Checkmarx	25+ languages	Any CI system	No (enterprise)	Deep data-flow analysis, compliance reporting
Snyk Code	15+ languages	GitHub, GitLab, Bitbucket, Azure	Limited free tier	AI-powered fix suggestions, developer-first UX

3.2 Integrating SAST with GitHub Actions

# .github/workflows/security-sast.yml
name: SAST Security Scan
on:
  pull_request:
    branches: [main, develop]

jobs:
  codeql-analysis:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: csharp, javascript
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3
        with:
          category: "/language:csharp"

  semgrep:
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
        env:
          SEMGREP_RULES: >-
            p/owasp-top-ten
            p/csharp
            p/javascript

Best practice: Only block PRs on high severity

Configure SAST to only fail the build when Critical or High severity issues are found. Medium/Low issues should still be reported but not block merging — this keeps developer experience good while ensuring serious vulnerabilities don't slip through.

4. SCA & SBOM — Managing Dependency Risk

According to statistics, 80-90% of code in a modern application comes from third-party dependencies. You can write flawless application code, but if an npm library or NuGet package has a critical CVE, your system is still vulnerable. Software Composition Analysis (SCA) solves this by scanning all dependencies, comparing against CVE databases, and alerting about versions with known vulnerabilities.

4.1 SBOM — The "Ingredient Label" of Software

Software Bill of Materials (SBOM) is a formal list of all components, libraries, and dependencies in an application — like the ingredient label on food packaging. In 2026, SBOM isn't just a best practice but is becoming a legal requirement in many countries (per US Executive Order 14028 and similar EU regulations).

graph TD
    APP["Your Application"] --> DEP1["NuGet packages"]
    APP --> DEP2["npm packages"]
    APP --> DEP3["Docker base image"]
    DEP1 --> SCAN["SCA Scanner"]
    DEP2 --> SCAN
    DEP3 --> SCAN
    SCAN --> CVE["CVE Database"]
    SCAN --> SBOM["SBOM Generation"]
    CVE --> ALERT["Vulnerability Alerts"]
    SBOM --> COMPLY["Compliance Report"]
    SBOM --> AUDIT["Security Audit Trail"]

    style APP fill:#e94560,stroke:#fff,color:#fff
    style SCAN fill:#2c3e50,stroke:#fff,color:#fff
    style SBOM fill:#4CAF50,stroke:#fff,color:#fff
    style ALERT fill:#ff9800,stroke:#fff,color:#fff

SCA and SBOM generation workflow in the pipeline

4.2 SCA for .NET Projects

# Scan for vulnerable NuGet packages
dotnet list package --vulnerable --include-transitive

# Generate SBOM in CycloneDX format
dotnet tool install --global CycloneDX
dotnet CycloneDX myproject.sln -o ./sbom -f json

# Or use GitHub CLI to generate SBOM from dependency graph
gh sbom --format spdx

4.3 Dependabot — Automated Dependency Updates

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"

  - package-ecosystem: "npm"
    directory: "/ClientApp"
    schedule:
      interval: "daily"
    allow:
      - dependency-type: "direct"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

Warning: Transitive dependencies

Many vulnerabilities exist in transitive dependencies — libraries that your libraries depend on. Always use the --include-transitive flag when scanning, and consider using Directory.Packages.props (Central Package Management) in .NET to control versions consistently across the entire solution.

5. Secrets Scanning — Preventing Credential Leaks

One of the most common — and most dangerous — security mistakes is committing secrets (API keys, database passwords, private keys) into source code. According to GitHub, in 2025 they detected over 39 million leaked secrets on the platform. Every exposed secret is an open door for attackers.

5.1 Blocking Secrets at Pre-commit

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

5.2 GitHub Secret Scanning & Push Protection

GitHub provides two free protection features for public repositories:

Secret scanning: scans the entire repository to find committed secrets, notifies service providers (AWS, Azure, Stripe...) to automatically revoke keys
Push protection: blocks pushes at the moment a developer attempts to push code containing secrets — before it enters the repository

# Check secret scanning alerts on a repo
gh api repos/{owner}/{repo}/secret-scanning/alerts \
  --jq '.[] | "\(.secret_type): \(.state) - \(.html_url)"'

# List all open alerts
gh secret-scanning list --state open

Proper secrets management

Instead of hardcoding secrets, use: Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, or GitHub Actions secrets. In CI/CD, inject secrets via environment variables at runtime, never store them in config files that get committed.

6. DAST — Testing Security of Running Applications

Dynamic Application Security Testing (DAST) differs from SAST in that instead of reading source code, DAST attacks a running application like a real hacker. It sends requests containing malicious payloads (SQL injection strings, XSS payloads, path traversal sequences...) and analyzes responses to detect vulnerabilities.

DAST is particularly effective at finding bugs that SAST can't see: server misconfiguration, missing security headers, CORS misconfiguration, authentication bypass, and issues that only appear when the application runs on real infrastructure.

sequenceDiagram
    participant CI as CI/CD Pipeline
    participant DAST as DAST Scanner
    participant APP as Staging App
    participant DB as Database

    CI->>APP: Deploy to staging
    CI->>DAST: Trigger scan
    DAST->>APP: GET /api/users?id=1 OR 1=1
    APP->>DB: Query (if vulnerable)
    APP-->>DAST: Response 200 + data leak
    DAST->>DAST: Detect SQL Injection!
    DAST->>APP: POST /login (brute force patterns)
    APP-->>DAST: Response analysis
    DAST->>APP: GET /admin (authorization bypass)
    APP-->>DAST: Response 200 (should be 403!)
    DAST->>DAST: Detect Broken Access Control!
    DAST-->>CI: Report with vulnerability list
    CI->>CI: Fail pipeline if Critical found

DAST scan flow in a staging environment

6.1 Popular DAST Tools

Tool	Type	CI/CD Integration	Cost
OWASP ZAP	Full-featured scanner	GitHub Actions, GitLab, Jenkins	Free (open source)
Nuclei	Template-based scanner	Any CI system	Free (open source)
Burp Suite	Professional scanner	API-based integration	Enterprise license
Astra Security	Cloud-based	API + webhooks	SaaS pricing

6.2 OWASP ZAP in GitHub Actions

# .github/workflows/dast-scan.yml
name: DAST Security Scan
on:
  workflow_run:
    workflows: ["Deploy to Staging"]
    types: [completed]

jobs:
  zap-scan:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Full Scan
        uses: zaproxy/action-full-scan@v0.12.0
        with:
          target: 'https://staging.myapp.com'
          rules_file_name: '.zap/rules.tsv'
          fail_action: true
          allow_issue_writing: true
          issue_title: "ZAP Security Scan Report"
          cmd_options: '-a -j -T 60'

7. Container Security — From Base Image to Runtime

Containers (Docker, Podman) are the standard deployment unit in 2026, but they're also a new attack vector. A base image like node:18 can contain hundreds of CVEs in system libraries (OpenSSL, glibc, curl...). If you only scan application code but skip the container image, you're ignoring a massive attack surface.

7.1 Scanning Images in CI/CD

# GitHub Actions with Trivy
- name: Scan container image
  uses: aquasecurity/trivy-action@0.28.0
  with:
    image-ref: 'myapp:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

- name: Upload scan results
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif'

7.2 Secure Dockerfile Practices

# Multi-stage build for .NET — reduce attack surface
FROM mcr.microsoft.com/dotnet/sdk:10.0-alpine AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore
COPY . .
RUN dotnet publish -c Release -o /app --no-restore

# Runtime image: use distroless or alpine
FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine AS runtime
# Run as non-root user
RUN adduser -D -u 1001 appuser
USER appuser
WORKDIR /app
COPY --from=build /app .
EXPOSE 8080
ENTRYPOINT ["dotnet", "MyApp.dll"]

Minimal base image principle

Always use alpine or distroless for runtime images. Compared to debian-bookworm (~120MB, 300+ packages), alpine is only 5MB with ~15 packages — significantly reducing the attack surface. With .NET 10, Microsoft provides ready-made -alpine and -chiseled (distroless) images that are already optimized.

8. Supply Chain Security — Protecting the Entire Software Supply Chain

Supply chain attacks have become one of the most dangerous vectors. Instead of attacking your application directly, attackers target dependencies, build tools, CI/CD pipelines, or underlying infrastructure. High-profile incidents like SolarWinds (2020), Log4Shell (2021), and the xz-utils backdoor (2024) demonstrate that a single compromised library can affect millions of systems.

graph TD
    subgraph "Attack Surface"
    A1["Source Code"] --> B1["Typosquatting package"]
    A2["Build System"] --> B2["Compromised CI runner"]
    A3["Dependencies"] --> B3["Malicious update"]
    A4["Registry"] --> B4["Account takeover"]
    A5["Deployment"] --> B5["Tampered artifact"]
    end

    subgraph "Defense Layers"
    C1["Signed commits + branch protection"]
    C2["Ephemeral runners + least privilege"]
    C3["Lock files + SCA + audit"]
    C4["2FA + publishing restrictions"]
    C5["SLSA provenance + artifact signing"]
    end

    B1 -.->|Prevented by| C1
    B2 -.->|Prevented by| C2
    B3 -.->|Prevented by| C3
    B4 -.->|Prevented by| C4
    B5 -.->|Prevented by| C5

    style A1 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A2 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A3 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A4 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A5 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style C1 fill:#4CAF50,stroke:#fff,color:#fff
    style C2 fill:#4CAF50,stroke:#fff,color:#fff
    style C3 fill:#4CAF50,stroke:#fff,color:#fff
    style C4 fill:#4CAF50,stroke:#fff,color:#fff
    style C5 fill:#4CAF50,stroke:#fff,color:#fff

Supply chain attack surfaces and corresponding defense layers

8.1 SLSA Framework — Ensuring Artifact Integrity

SLSA (Supply-chain Levels for Software Artifacts) is a framework developed by Google that defines 4 security levels for build processes:

SLSA Level	Requirements	Protects Against
Level 1	Build process documented, provenance metadata exists	No attestation, but audit trail available
Level 2	Authenticated build service, signed provenance	Tampering after build
Level 3	Build on hardened infrastructure, no direct developer intervention	Insider threats, compromised build environment
Level 4	Two-party review, hermetic build, reproducible	All known forms of tampering

8.2 Signing and Verifying Artifacts

# Sign container image with Cosign (Sigstore)
cosign sign --key cosign.key myregistry.com/myapp:v1.0

# Verify before deploying
cosign verify --key cosign.pub myregistry.com/myapp:v1.0

# Attach SBOM to image
cosign attach sbom --sbom ./sbom.json myregistry.com/myapp:v1.0

# Create SLSA provenance with GitHub Actions
# (use slsa-framework/slsa-github-generator)

9. AI in DevSecOps — New Opportunities and Risks

In 2026, AI has deeply penetrated the software development process. 59% of software engineers using AI tools report significant improvements in code quality. But AI also creates new security challenges that DevSecOps pipelines need to handle.

9.1 Securing AI-Generated Code

AI code assistants (GitHub Copilot, Claude Code, Cursor) can generate code containing security vulnerabilities — especially when trained on older code with vulnerability patterns. Research shows AI-generated code has a similar or higher rate of security bugs compared to human-written code in certain categories.

Must validate AI-generated code

CI/CD pipelines must run SAST on all code, regardless of origin (human or AI). Pay special attention to: external model dependencies, third-party inference APIs, and prompt injection vectors when applications use LLMs. Never trust AI output without verification — treat it as untrusted input.

9.2 AI-Powered Vulnerability Detection

On the positive side, AI is significantly improving vulnerability detection capabilities:

ML-powered SAST/DAST: reducing false positive rates from 40-60% down to below 15% by understanding code context
Automated triage: AI classifies and prioritizes alerts based on exploitability, business impact, and exposure
Fix suggestions: tools like Snyk Code, GitHub Copilot Autofix propose specific fixes for each vulnerability
Anomaly detection: detecting unusual patterns in dependency updates (e.g., new maintainer, obfuscated code, changelog anomalies)

10. Building a Comprehensive DevSecOps Pipeline

After understanding each individual tool, let's combine them into a complete pipeline. The principle is: incremental adoption — add one security layer at a time, don't try to implement everything at once.

graph TB
    subgraph "Phase 1: Developer Workstation"
    IDE["IDE Security Plugins
Semgrep, SonarLint"]
    PRE["Pre-commit Hooks
Gitleaks, detect-secrets"]
    end

    subgraph "Phase 2: CI Pipeline"
    SAST2["SAST
CodeQL / Semgrep"]
    SCA2["SCA + License Check
Dependabot / Snyk"]
    UNIT["Unit + Integration Tests"]
    BUILD["Docker Build"]
    CSCAN["Container Scan
Trivy / Grype"]
    SBOM2["SBOM Generation
CycloneDX / SPDX"]
    end

    subgraph "Phase 3: Staging"
    DEPLOY["Deploy to Staging"]
    DAST2["DAST
OWASP ZAP"]
    PERF["Performance + Load Test"]
    end

    subgraph "Phase 4: Production"
    SIGN["Artifact Signing
Cosign / Notation"]
    PROD["Deploy to Production"]
    RUNTIME["Runtime Protection
Falco / WAF"]
    MONITOR["Security Monitoring
SIEM + Alerting"]
    end

    IDE --> PRE --> SAST2
    SAST2 --> SCA2 --> UNIT --> BUILD
    BUILD --> CSCAN --> SBOM2
    SBOM2 --> DEPLOY --> DAST2 --> PERF
    PERF --> SIGN --> PROD --> RUNTIME --> MONITOR

    style IDE fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style SAST2 fill:#e94560,stroke:#fff,color:#fff
    style SCA2 fill:#e94560,stroke:#fff,color:#fff
    style CSCAN fill:#2c3e50,stroke:#fff,color:#fff
    style DAST2 fill:#2c3e50,stroke:#fff,color:#fff
    style PROD fill:#4CAF50,stroke:#fff,color:#fff
    style MONITOR fill:#4CAF50,stroke:#fff,color:#fff

4-phase DevSecOps pipeline: from IDE to production monitoring

10.1 Practical Adoption Roadmap

Week 1-2: Foundation

Enable GitHub Secret Scanning + Push Protection (free). Add Gitleaks pre-commit hook. Run dotnet list package --vulnerable once to assess current state.

Week 3-4: SAST

Add CodeQL or Semgrep to PR workflow. Only block on Critical/High. Review false positives and tune rules during the first 2 weeks.

Month 2: SCA + SBOM

Enable Dependabot for NuGet, npm, and Docker. Configure Central Package Management. Auto-generate SBOM in CI.

Month 3: Container + DAST

Add Trivy scanning for Docker images. Set up OWASP ZAP full scan for staging. Switch to alpine/distroless base images.

Month 4+: Supply Chain

Implement artifact signing with Cosign. Set up SLSA Level 2 provenance. Continuously review and improve based on metrics.

11. Measuring DevSecOps Effectiveness

You can't improve what you don't measure. Here are the key metrics for evaluating your DevSecOps pipeline:

Metric	Target	How to Measure
Mean Time to Remediate (MTTR)	< 7 days for Critical, < 30 days for High	Time from detection to fix deployed
Vulnerability Escape Rate	< 5%	Vulnerabilities found in production / total found
False Positive Rate	< 15%	Alerts dismissed / total alerts
Pipeline Overhead	< 10 minutes added	Additional CI time due to security scanning
Dependency Freshness	> 80% packages on latest	Ratio of dependencies on latest minor/patch
SBOM Coverage	100% services have SBOM	Services with SBOM / total services

Start with MTTR, not vulnerability count

Many teams make the mistake of measuring "number of vulnerabilities found" — this metric incentivizes finding more bugs rather than fixing them. MTTR (time to fix) is the metric that truly reflects response capability. A team with 100 vulnerabilities but 3-day MTTR is far better than a team with 20 vulnerabilities but 90-day MTTR.

12. Conclusion

DevSecOps isn't about adding one more step to the pipeline — it's about changing how the entire team thinks about security. In 2026, with the maturity of free tools (CodeQL, Semgrep, Trivy, OWASP ZAP, Gitleaks, Dependabot) and native platform support (GitHub Advanced Security, Azure DevOps, GitLab), building a comprehensive DevSecOps pipeline no longer requires a massive budget. Start small with secrets scanning and SAST on PRs, then expand gradually — every security layer added significantly reduces the risk of a breach.

Most importantly: security is a shared responsibility. DevSecOps only succeeds when every engineer on the team understands and commits to it — not because they're forced to, but because it's the right way to build software.

References

#DevSecOps #CI/CD #Security #SAST #DAST #SBOM #GitHub Actions #Container Security #Supply Chain Security

# DevSecOps — Integrating Security into Modern CI/CD Pipelines

## 1. DevSecOps — When Security Stops Being "Someone Else's Job"

**DevSecOps** flips this model: integrating security checks into *every step* of the CI/CD pipeline, from the moment a developer writes code in their IDE to when a container is deployed to production. In 2026, DevSecOps is no longer "nice-to-have" — it's baseline. According to GitLab's survey, **84% of organizations** struggle with the cost and complexity of observability/security, while some organizations spend over **$130,000/month** on security tooling. DevSecOps addresses this by catching bugs early — when the cost of fixing is still low.

84%organizations struggle with security costs

6xcheaper to fix bugs in dev vs production

59%engineers report improved code quality with AI tools

80-90%telemetry volume reduction with smart filtering

## 2. From "Shift Left" to "Shift Smart" — Evolving Security Thinking

**"Shift Smart"** is the next evolution: placing the right tool, at the right stage, with the right severity threshold. SAST runs on every PR but only blocks on Critical/High severity. DAST runs on staging before promoting to production. SCA scans dependencies daily but only alerts when there's a CVE with a public exploit. The result is a pipeline that's both fast and secure, where developers actually read the results instead of skipping them.

style A fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style C fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style D fill:#e94560,stroke:#fff,color:#fff
    style E fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style G fill:#4CAF50,stroke:#fff,color:#fff
    style H fill:#2c3e50,stroke:#fff,color:#fff

```

End-to-end DevSecOps pipeline: each stage has appropriate security tooling

## 3. SAST — Catching Security Bugs Directly in Source Code

**Static Application Security Testing (SAST)** analyzes source code without running the application. SAST tools read code, build an Abstract Syntax Tree (AST), and search for dangerous patterns: SQL injection, XSS, path traversal, insecure deserialization, hardcoded credentials...

SAST's strength is detecting bugs *very early* — right when the developer writes code. Many modern IDEs (VS Code, JetBrains) have integrated real-time SAST, highlighting security bugs like syntax errors. When running in CI, SAST scans the entire codebase and reports results on the PR.

### 3.1 Popular SAST Tools Compared

| Tool | Languages Supported | CI/CD Integration | Free? | Key Strength |
| --- | --- | --- | --- | --- |
| **Semgrep** | 30+ languages | GitHub Actions, GitLab CI, Azure Pipelines | Community rules free | Custom rules via pattern matching, fast, easy rule authoring |
| **CodeQL (GitHub)** | C/C++, C#, Java, JS/TS, Python, Go, Ruby, Swift, Kotlin | GitHub Actions native | Free for public repos | Powerful query language, finds complex data-flow vulnerabilities |
| **SonarQube** | 30+ languages | Any CI system | Community Edition free | Quality gate + security, integrates code smell detection |
| **Checkmarx** | 25+ languages | Any CI system | No (enterprise) | Deep data-flow analysis, compliance reporting |
| **Snyk Code** | 15+ languages | GitHub, GitLab, Bitbucket, Azure | Limited free tier | AI-powered fix suggestions, developer-first UX |

### 3.2 Integrating SAST with GitHub Actions

```yaml
# .github/workflows/security-sast.yml
name: SAST Security Scan
on:
  pull_request:
    branches: [main, develop]

jobs:
  codeql-analysis:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: csharp, javascript
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3
        with:
          category: "/language:csharp"

semgrep:
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
        env:
          SEMGREP_RULES: >-
            p/owasp-top-ten
            p/csharp
            p/javascript
```

#### Best practice: Only block PRs on high severity

Configure SAST to only fail the build when **Critical** or **High** severity issues are found. Medium/Low issues should still be reported but not block merging — this keeps developer experience good while ensuring serious vulnerabilities don't slip through.

## 4. SCA & SBOM — Managing Dependency Risk

According to statistics, **80-90% of code in a modern application comes from third-party dependencies**. You can write flawless application code, but if an npm library or NuGet package has a critical CVE, your system is still vulnerable. **Software Composition Analysis (SCA)** solves this by scanning all dependencies, comparing against CVE databases, and alerting about versions with known vulnerabilities.

### 4.1 SBOM — The "Ingredient Label" of Software

**Software Bill of Materials (SBOM)** is a formal list of all components, libraries, and dependencies in an application — like the ingredient label on food packaging. In 2026, SBOM isn't just a best practice but is becoming a *legal requirement* in many countries (per US Executive Order 14028 and similar EU regulations).

```
graph TD
    APP["Your Application"] --> DEP1["NuGet packages"]
    APP --> DEP2["npm packages"]
    APP --> DEP3["Docker base image"]
    DEP1 --> SCAN["SCA Scanner"]
    DEP2 --> SCAN
    DEP3 --> SCAN
    SCAN --> CVE["CVE Database"]
    SCAN --> SBOM["SBOM Generation"]
    CVE --> ALERT["Vulnerability Alerts"]
    SBOM --> COMPLY["Compliance Report"]
    SBOM --> AUDIT["Security Audit Trail"]

style APP fill:#e94560,stroke:#fff,color:#fff
    style SCAN fill:#2c3e50,stroke:#fff,color:#fff
    style SBOM fill:#4CAF50,stroke:#fff,color:#fff
    style ALERT fill:#ff9800,stroke:#fff,color:#fff

```

SCA and SBOM generation workflow in the pipeline

### 4.2 SCA for .NET Projects

```bash
# Scan for vulnerable NuGet packages
dotnet list package --vulnerable --include-transitive

# Generate SBOM in CycloneDX format
dotnet tool install --global CycloneDX
dotnet CycloneDX myproject.sln -o ./sbom -f json

# Or use GitHub CLI to generate SBOM from dependency graph
gh sbom --format spdx
```

### 4.3 Dependabot — Automated Dependency Updates

```yaml
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"

- package-ecosystem: "npm"
    directory: "/ClientApp"
    schedule:
      interval: "daily"
    allow:
      - dependency-type: "direct"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]

- package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
```

#### Warning: Transitive dependencies

Many vulnerabilities exist in *transitive dependencies* — libraries that your libraries depend on. Always use the `--include-transitive` flag when scanning, and consider using `Directory.Packages.props` (Central Package Management) in .NET to control versions consistently across the entire solution.

## 5. Secrets Scanning — Preventing Credential Leaks

One of the most common — and most dangerous — security mistakes is committing secrets (API keys, database passwords, private keys) into source code. According to GitHub, in 2025 they detected **over 39 million leaked secrets** on the platform. Every exposed secret is an open door for attackers.

### 5.1 Blocking Secrets at Pre-commit

```yaml
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks

- repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
```

### 5.2 GitHub Secret Scanning & Push Protection

GitHub provides two free protection features for public repositories:

- **Secret scanning**: scans the entire repository to find committed secrets, notifies service providers (AWS, Azure, Stripe...) to automatically revoke keys
- **Push protection**: blocks pushes at the moment a developer attempts to push code containing secrets — before it enters the repository

```bash
# Check secret scanning alerts on a repo
gh api repos/{owner}/{repo}/secret-scanning/alerts \
  --jq '.[] | "\(.secret_type): \(.state) - \(.html_url)"'

# List all open alerts
gh secret-scanning list --state open
```

#### Proper secrets management

Instead of hardcoding secrets, use: **Azure Key Vault**, **AWS Secrets Manager**, **HashiCorp Vault**, or **GitHub Actions secrets**. In CI/CD, inject secrets via environment variables at runtime, never store them in config files that get committed.

## 6. DAST — Testing Security of Running Applications

**Dynamic Application Security Testing (DAST)** differs from SAST in that instead of reading source code, DAST attacks a running application like a real hacker. It sends requests containing malicious payloads (SQL injection strings, XSS payloads, path traversal sequences...) and analyzes responses to detect vulnerabilities.

```
sequenceDiagram
    participant CI as CI/CD Pipeline
    participant DAST as DAST Scanner
    participant APP as Staging App
    participant DB as Database

CI->>APP: Deploy to staging
    CI->>DAST: Trigger scan
    DAST->>APP: GET /api/users?id=1 OR 1=1
    APP->>DB: Query (if vulnerable)
    APP-->>DAST: Response 200 + data leak
    DAST->>DAST: Detect SQL Injection!
    DAST->>APP: POST /login (brute force patterns)
    APP-->>DAST: Response analysis
    DAST->>APP: GET /admin (authorization bypass)
    APP-->>DAST: Response 200 (should be 403!)
    DAST->>DAST: Detect Broken Access Control!
    DAST-->>CI: Report with vulnerability list
    CI->>CI: Fail pipeline if Critical found

```

DAST scan flow in a staging environment

### 6.1 Popular DAST Tools

| Tool | Type | CI/CD Integration | Cost |
| --- | --- | --- | --- |
| **OWASP ZAP** | Full-featured scanner | GitHub Actions, GitLab, Jenkins | Free (open source) |
| **Nuclei** | Template-based scanner | Any CI system | Free (open source) |
| **Burp Suite** | Professional scanner | API-based integration | Enterprise license |
| **Astra Security** | Cloud-based | API + webhooks | SaaS pricing |

### 6.2 OWASP ZAP in GitHub Actions

```yaml
# .github/workflows/dast-scan.yml
name: DAST Security Scan
on:
  workflow_run:
    workflows: ["Deploy to Staging"]
    types: [completed]

jobs:
  zap-scan:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Full Scan
        uses: zaproxy/action-full-scan@v0.12.0
        with:
          target: 'https://staging.myapp.com'
          rules_file_name: '.zap/rules.tsv'
          fail_action: true
          allow_issue_writing: true
          issue_title: "ZAP Security Scan Report"
          cmd_options: '-a -j -T 60'
```

## 7. Container Security — From Base Image to Runtime

Containers (Docker, Podman) are the standard deployment unit in 2026, but they're also a new attack vector. A base image like `node:18` can contain hundreds of CVEs in system libraries (OpenSSL, glibc, curl...). If you only scan application code but skip the container image, you're ignoring a massive attack surface.

### 7.1 Scanning Images in CI/CD

```yaml
# GitHub Actions with Trivy
- name: Scan container image
  uses: aquasecurity/trivy-action@0.28.0
  with:
    image-ref: 'myapp:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

- name: Upload scan results
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif'
```

### 7.2 Secure Dockerfile Practices

```dockerfile
# Multi-stage build for .NET — reduce attack surface
FROM mcr.microsoft.com/dotnet/sdk:10.0-alpine AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore
COPY . .
RUN dotnet publish -c Release -o /app --no-restore

# Runtime image: use distroless or alpine
FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine AS runtime
# Run as non-root user
RUN adduser -D -u 1001 appuser
USER appuser
WORKDIR /app
COPY --from=build /app .
EXPOSE 8080
ENTRYPOINT ["dotnet", "MyApp.dll"]
```

#### Minimal base image principle

Always use `alpine` or `distroless` for runtime images. Compared to `debian-bookworm` (~120MB, 300+ packages), `alpine` is only 5MB with ~15 packages — significantly reducing the attack surface. With .NET 10, Microsoft provides ready-made `-alpine` and `-chiseled` (distroless) images that are already optimized.

## 8. Supply Chain Security — Protecting the Entire Software Supply Chain

```
graph TD
    subgraph "Attack Surface"
    A1["Source Code"] --> B1["Typosquatting package"]
    A2["Build System"] --> B2["Compromised CI runner"]
    A3["Dependencies"] --> B3["Malicious update"]
    A4["Registry"] --> B4["Account takeover"]
    A5["Deployment"] --> B5["Tampered artifact"]
    end

subgraph "Defense Layers"
    C1["Signed commits + branch protection"]
    C2["Ephemeral runners + least privilege"]
    C3["Lock files + SCA + audit"]
    C4["2FA + publishing restrictions"]
    C5["SLSA provenance + artifact signing"]
    end

B1 -.->|Prevented by| C1
    B2 -.->|Prevented by| C2
    B3 -.->|Prevented by| C3
    B4 -.->|Prevented by| C4
    B5 -.->|Prevented by| C5

style A1 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A2 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A3 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A4 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style A5 fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style C1 fill:#4CAF50,stroke:#fff,color:#fff
    style C2 fill:#4CAF50,stroke:#fff,color:#fff
    style C3 fill:#4CAF50,stroke:#fff,color:#fff
    style C4 fill:#4CAF50,stroke:#fff,color:#fff
    style C5 fill:#4CAF50,stroke:#fff,color:#fff

```

Supply chain attack surfaces and corresponding defense layers

### 8.1 SLSA Framework — Ensuring Artifact Integrity

**SLSA (Supply-chain Levels for Software Artifacts)** is a framework developed by Google that defines 4 security levels for build processes:

| SLSA Level | Requirements | Protects Against |
| --- | --- | --- |
| **Level 1** | Build process documented, provenance metadata exists | No attestation, but audit trail available |
| **Level 2** | Authenticated build service, signed provenance | Tampering after build |
| **Level 3** | Build on hardened infrastructure, no direct developer intervention | Insider threats, compromised build environment |
| **Level 4** | Two-party review, hermetic build, reproducible | All known forms of tampering |

### 8.2 Signing and Verifying Artifacts

```bash
# Sign container image with Cosign (Sigstore)
cosign sign --key cosign.key myregistry.com/myapp:v1.0

# Verify before deploying
cosign verify --key cosign.pub myregistry.com/myapp:v1.0

# Attach SBOM to image
cosign attach sbom --sbom ./sbom.json myregistry.com/myapp:v1.0

# Create SLSA provenance with GitHub Actions
# (use slsa-framework/slsa-github-generator)
```

## 9. AI in DevSecOps — New Opportunities and Risks

In 2026, AI has deeply penetrated the software development process. **59% of software engineers** using AI tools report significant improvements in code quality. But AI also creates new security challenges that DevSecOps pipelines need to handle.

### 9.1 Securing AI-Generated Code

#### Must validate AI-generated code

CI/CD pipelines must run SAST on **all code**, regardless of origin (human or AI). Pay special attention to: external model dependencies, third-party inference APIs, and prompt injection vectors when applications use LLMs. Never trust AI output without verification — treat it as untrusted input.

### 9.2 AI-Powered Vulnerability Detection

On the positive side, AI is significantly improving vulnerability detection capabilities:

- **ML-powered SAST/DAST**: reducing false positive rates from 40-60% down to below 15% by understanding code context
- **Automated triage**: AI classifies and prioritizes alerts based on exploitability, business impact, and exposure
- **Fix suggestions**: tools like Snyk Code, GitHub Copilot Autofix propose specific fixes for each vulnerability
- **Anomaly detection**: detecting unusual patterns in dependency updates (e.g., new maintainer, obfuscated code, changelog anomalies)

## 10. Building a Comprehensive DevSecOps Pipeline

After understanding each individual tool, let's combine them into a complete pipeline. The principle is: *incremental adoption* — add one security layer at a time, don't try to implement everything at once.

```
graph TB
    subgraph "Phase 1: Developer Workstation"
    IDE["IDE Security Plugins  
Semgrep, SonarLint"]
    PRE["Pre-commit Hooks  
Gitleaks, detect-secrets"]
    end

subgraph "Phase 2: CI Pipeline"
    SAST2["SAST  
CodeQL / Semgrep"]
    SCA2["SCA + License Check  
Dependabot / Snyk"]
    UNIT["Unit + Integration Tests"]
    BUILD["Docker Build"]
    CSCAN["Container Scan  
Trivy / Grype"]
    SBOM2["SBOM Generation  
CycloneDX / SPDX"]
    end

subgraph "Phase 3: Staging"
    DEPLOY["Deploy to Staging"]
    DAST2["DAST  
OWASP ZAP"]
    PERF["Performance + Load Test"]
    end

subgraph "Phase 4: Production"
    SIGN["Artifact Signing  
Cosign / Notation"]
    PROD["Deploy to Production"]
    RUNTIME["Runtime Protection  
Falco / WAF"]
    MONITOR["Security Monitoring  
SIEM + Alerting"]
    end

IDE --> PRE --> SAST2
    SAST2 --> SCA2 --> UNIT --> BUILD
    BUILD --> CSCAN --> SBOM2
    SBOM2 --> DEPLOY --> DAST2 --> PERF
    PERF --> SIGN --> PROD --> RUNTIME --> MONITOR

style IDE fill:#f8f9fa,stroke:#e94560,color:#2c3e50
    style SAST2 fill:#e94560,stroke:#fff,color:#fff
    style SCA2 fill:#e94560,stroke:#fff,color:#fff
    style CSCAN fill:#2c3e50,stroke:#fff,color:#fff
    style DAST2 fill:#2c3e50,stroke:#fff,color:#fff
    style PROD fill:#4CAF50,stroke:#fff,color:#fff
    style MONITOR fill:#4CAF50,stroke:#fff,color:#fff

```

4-phase DevSecOps pipeline: from IDE to production monitoring

### 10.1 Practical Adoption Roadmap

Week 1-2: Foundation

Enable GitHub Secret Scanning + Push Protection (free). Add Gitleaks pre-commit hook. Run `dotnet list package --vulnerable` once to assess current state.

Week 3-4: SAST

Add CodeQL or Semgrep to PR workflow. Only block on Critical/High. Review false positives and tune rules during the first 2 weeks.

Month 2: SCA + SBOM

Enable Dependabot for NuGet, npm, and Docker. Configure Central Package Management. Auto-generate SBOM in CI.

Month 3: Container + DAST

Add Trivy scanning for Docker images. Set up OWASP ZAP full scan for staging. Switch to alpine/distroless base images.

Month 4+: Supply Chain

Implement artifact signing with Cosign. Set up SLSA Level 2 provenance. Continuously review and improve based on metrics.

## 11. Measuring DevSecOps Effectiveness

You can't improve what you don't measure. Here are the key metrics for evaluating your DevSecOps pipeline:

| Metric | Target | How to Measure |
| --- | --- | --- |
| **Mean Time to Remediate (MTTR)** | < 7 days for Critical, < 30 days for High | Time from detection to fix deployed |
| **Vulnerability Escape Rate** | < 5% | Vulnerabilities found in production / total found |
| **False Positive Rate** | < 15% | Alerts dismissed / total alerts |
| **Pipeline Overhead** | < 10 minutes added | Additional CI time due to security scanning |
| **Dependency Freshness** | > 80% packages on latest | Ratio of dependencies on latest minor/patch |
| **SBOM Coverage** | 100% services have SBOM | Services with SBOM / total services |

#### Start with MTTR, not vulnerability count

## 12. Conclusion

## References

- [DevSecOps Trends 2026: AI, Supply Chain & Zero Trust — Practical DevSecOps](https://www.practical-devsecops.com/devsecops-trends-2026/)
- [10 DevSecOps Best Practices for Secure and Efficient Pipelines — Kluster.ai](https://www.kluster.ai/blog/devsecops-best-practices)
- [CI/CD Security Best Practices — Qualys](https://www.qualys.com/fundamentals/ci-cd-security-best-practices)
- [Why Shift-Left Security is Your Competitive Advantage — ISACA](https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2026/the-future-of-software-delivery-why-shift-left-security-is-your-competitive-advantage)
- [About Supply Chain Security — GitHub Docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security)
- [SLSA Framework — Supply-chain Levels for Software Artifacts](https://slsa.dev/)
- [Practical Guide to Integrating DAST in DevOps Workflow — Astra Security](https://www.getastra.com/blog/dast/integrating-dast-in-devops-workflow/)

Data Pipeline: From Batch to Streaming in Modern Data Systems

Cloudflare Dynamic Workers — Stateful Serverless for the AI Agent Era

Disclaimer: The opinions expressed in this blog are solely my own and do not reflect the views or opinions of my employer or any affiliated organizations. The content provided is for informational and educational purposes only and should not be taken as professional advice. While I strive to provide accurate and up-to-date information, I make no warranties or guarantees about the completeness, reliability, or accuracy of the content. Readers are encouraged to verify the information and seek independent advice as needed. I disclaim any liability for decisions or actions taken based on the content of this blog.