DevSecOps
Objectives: By the end of this topic, you will be able to…
- Use code and container security analysis tools
- Automate basic security reviews as part of a development workflow
- Understand the importance of “shift-left” in security
- Read and interpret vulnerability reports
What is DevSecOps?
DevSecOps (Development, Security, and Operations) is an evolution of the DevOps model that integrates security as a fundamental part of the software development lifecycle, from the earliest stages through to operations.
Unlike a traditional approach where security is applied at the end of the cycle (as an audit), in DevSecOps it is automated within the development pipeline to:
- Detect vulnerabilities early
- Reduce remediation costs
- Improve collaboration between developers, operators, and security experts
Security as part of the development cycle (“Shift Left”)
Shift Left means moving security activities to earlier stages of the development cycle:
- Source code validation (SAST)
- Dependency scanning (SBOM)
- Container image validation
- Automated configuration review
The goal is for code to reach production cleaner, without slowing down the team.
Source code analysis with static tools
SAST tools analyze code without executing it. They detect:
- Insecure validations
- Injections
- Use of insecure functions
- Information leaks
Popular tools
| Tool | Description |
|---|---|
semgrep | Fast and customizable analysis |
bandit | For Python code |
SonarQube | Quality + security analysis |
CodeQL | Complex queries on code |
# Example with semgrep
semgrep --config=auto src/Vulnerability analysis in Docker images
Container images can include dependencies with known CVEs. It is important to scan them before deployment.
| Tool | Description |
|---|---|
Trivy | Scans Docker images, code repos, and dependencies |
Grype | Supports multiple SBOM formats |
Dockle | Analyzes security best practices in Dockerfiles |
# Example with Trivy
trivy image my-app:latestIntroduction to simple pipelines
CI/CD pipelines allow automating security analysis on every push or pull request.
Basic example with GitHub Actions:
name: DevSecOps Checks
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
- name: Scan Docker Image
run: |
docker build -t my-app .
trivy image my-appHands-on lab
Requirements: Kali Linux,
bandit,trivy, Docker, Git
Part 1: Source code analysis with Bandit
- Clone a vulnerable repository:
git clone https://github.com/red-and-black/DjangoGoat
cd DjangoGoat- Run
bandit:
bandit -r . -f json -o bandit_results.json- Interpret at least 5 relevant findings: location, vulnerability type, possible exploitation, and solution
- Bonus: create a script to filter only high severity findings from the JSON
Part 2: Container analysis with Trivy
- Download a vulnerable image:
docker pull bkimminich/juice-shop- Run analysis:
trivy image bkimminich/juice-shop > trivy_image.txt- Analyze the project filesystem:
trivy fs . > trivy_fs.txt- Identify and document at least 3 critical vulnerabilities, associate with CVEs, research patched versions
Part 3: Local pipeline simulation
-
Create a script
run_security.shthat:- Runs Bandit and Trivy
- Saves results in separate folders (
output/bandit/,output/trivy/) - Generates
security_report.mdwith: vulnerabilities found, estimated risk, recommendations, date and group name
-
(Extra) Create
generate_report.pythat reads JSON files and generates a markdown summary
Part 4 (Optional): GitHub Actions
- Upload the project to GitHub
- Create
.github/workflows/security.yml:
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install Bandit and Trivy
run: |
pip install bandit
sudo apt-get install -y wget
wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.51.1_Linux-64bit.deb
sudo dpkg -i trivy_0.51.1_Linux-64bit.deb
- name: Run Bandit
run: bandit -r . -f txt
- name: Run Trivy FS
run: trivy fs .- Verify logs and results in GitHub Actions
Submission
Compressed folder with:
- Script
run_security.sh - Optional
generate_report.py - Folder
output/with results security_report.md- Screenshots of analysis and execution
- (Optional) Link to repository with active pipeline
- Report including: highlighted vulnerabilities, severity, recommendations, reflection on automation in real projects
Key concepts
| Term | Definition |
|---|---|
| DevSecOps | Methodology that integrates security into all phases of the development lifecycle |
| Shift Left | Practice of moving security activities to earlier stages of development |
| SAST | Source code analysis without executing the application |
| Trivy | Container vulnerability analysis tool |
| Bandit | SAST tool for Python code |
| Semgrep | Multi-language and customizable static analyzer |
Test yourself
-
Shift Left: Explain why it is more cost-effective to detect and fix a vulnerability during the development phase than in production. What impact does it have on costs and risk?
-
Pipeline: Design a basic CI/CD pipeline that includes: code analysis, dependency scanning, and Docker image analysis. What tools would you use at each step?
-
Practice: A Trivy scan reports 47 vulnerabilities in a Docker image, of which 5 are critical. How would you prioritize remediation? What criteria would you use?