DevSecOps
Objectives: By the end of this topic, you will be able to…
- Use code and container security analysis tools
- Automate basic security reviews as part of a development workflow
- Understand the importance of “shift-left” in security
- Read and interpret vulnerability reports
What is DevSecOps?
DevSecOps (Development, Security, and Operations) is an evolution of the DevOps model that integrates security as a fundamental part of the software development lifecycle, from the earliest stages through to operations.
Unlike a traditional approach where security is applied at the end of the cycle (as an audit), in DevSecOps it is automated within the development pipeline in order to detect vulnerabilities earlier, reduce remediation costs, and improve collaboration between developers, operators, and security experts.
Security as part of the development cycle (“Shift Left”)
Shift Left means moving security activities to earlier stages of the development cycle — source code validation (SAST), dependency scanning (SBOM), container image validation, and automated configuration review — so that code reaches production cleaner without slowing down the team.
Source code analysis with static tools
SAST tools analyze code without executing it, detecting insecure validations, injection points, use of insecure functions, and information leaks — all before a single line runs in production.
Popular tools
| Tool | Description |
|---|---|
semgrep | Fast and customizable analysis |
bandit | For Python code |
SonarQube | Quality + security analysis |
CodeQL | Complex queries on code |
# Example with semgrep
semgrep --config=auto src/When a tool like Bandit flags an issue, the output follows a consistent structure worth knowing before you encounter it in the lab:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection via
string-based query construction.
Severity: Medium Confidence: Medium
Location: app.py:27:14
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_...
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'hunter2'
Severity: Low Confidence: Medium
Location: app.py:8:15
Each finding shows the rule ID (e.g. B608) and a short description, a severity (Low / Medium / High) indicating potential impact, a confidence level indicating how certain the tool is that this is a real issue rather than a false positive, and a file and line number pointing directly to the problematic code. High severity with high confidence is always investigated first; low confidence findings require manual judgment before acting on them.
Vulnerability analysis in Docker images
Container images can include dependencies with known CVEs. It is important to scan them before deployment.
| Tool | Description |
|---|---|
Trivy | Scans Docker images, code repos, and dependencies |
Grype | Supports multiple SBOM formats |
Dockle | Analyzes security best practices in Dockerfiles |
# Example with Trivy
trivy image my-app:latestIntroduction to simple pipelines
CI/CD pipelines allow automating security analysis on every push or pull request.
Basic example with GitHub Actions:
name: DevSecOps Checks
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
- name: Scan Docker Image
run: |
docker build -t my-app .
trivy image my-appHands-on lab
Requirements: Kali Linux,
bandit,trivy, Docker, Git
Part 1: Source code analysis with Bandit
- Clone a vulnerable repository:
git clone https://github.com/red-and-black/DjangoGoat
cd DjangoGoat- Run
bandit:
bandit -r . -f json -o bandit_results.json- Interpret at least 5 relevant findings: location, vulnerability type, possible exploitation, and solution
? How many of Bandit’s findings were genuine security issues versus false positives? What criteria did you use to determine whether a finding was actually exploitable in this context?
- Bonus: create a script to filter only high severity findings from the JSON
Part 2: Container analysis with Trivy
- Download a vulnerable image:
docker pull bkimminich/juice-shop- Run analysis:
trivy image bkimminich/juice-shop > trivy_image.txt- Analyze the project filesystem:
trivy fs . > trivy_fs.txt- Identify and document at least 3 critical vulnerabilities, associate with CVEs, research patched versions
? For the critical CVEs you found in the container image, what is the upgrade path to resolve them? Why might a development team delay updating a base image even after a CVE is published?
Part 3: Local pipeline simulation
- Create a script
run_security.shthat:- Runs Bandit and Trivy
- Saves results in separate folders (
output/bandit/,output/trivy/) - Generates
security_report.mdwith: vulnerabilities found, estimated risk, recommendations, date and group name
? If your
run_security.shscript detects a critical finding, should the pipeline fail the build, send an alert, or both? What are the tradeoffs for a development team working under deadline pressure?
- (Extra) Create
generate_report.pythat reads JSON files and generates a markdown summary
Part 4 (Optional): GitHub Actions
- Upload the project to GitHub
- Create
.github/workflows/security.yml:
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install Bandit and Trivy
run: |
pip install bandit
sudo apt-get install -y wget
wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.51.1_Linux-64bit.deb
sudo dpkg -i trivy_0.51.1_Linux-64bit.deb
- name: Run Bandit
run: bandit -r . -f txt
- name: Run Trivy FS
run: trivy fs .- Verify logs and results in GitHub Actions
Submission
Compressed folder with:
- Script
run_security.sh - Optional
generate_report.py - Folder
output/with results security_report.md- Screenshots of analysis and execution
- (Optional) Link to repository with active pipeline
- Report including: highlighted vulnerabilities, severity, recommendations, reflection on automation in real projects
Key concepts
| Term | Definition |
|---|---|
| DevSecOps | Methodology that integrates security into all phases of the development lifecycle |
| Shift Left | Practice of moving security activities to earlier stages of development |
| SAST | Source code analysis without executing the application |
| Trivy | Container vulnerability analysis tool |
| Bandit | SAST tool for Python code |
| Semgrep | Multi-language and customizable static analyzer |