DevOps help for Cloud Platform Engineers
  • Welcome!
  • Quick Start Guide
  • About Me
  • CV
  • Contribute
  • 🧠DevOps & SRE Foundations
    • DevOps Overview
      • Engineering Fundamentals
      • Implementing DevOps Strategy
      • DevOps Readiness Assessment
      • Lifecycle Management
      • The 12 Factor App
      • Design for Self Healing
      • Incident Management Best Practices (2025)
    • SRE Fundamentals
      • Toil Reduction
      • System Simplicity
      • Real-world Scenarios
        • AWS VM Log Monitoring API
    • Agile Development
      • Team Agreements
        • Definition of Done
        • Definition of Ready
        • Team Manifesto
        • Working Agreement
    • Industry Scenarios
      • Finance and Banking
      • Public Sector (UK/EU)
      • Energy Sector Edge Computing
  • 🛠️DevOps Practices
    • Platform Engineering
    • FinOps
    • Observability
      • Modern Practices
  • 🚀Modern DevOps Practices
    • Infrastructure Testing
    • Modern Development
    • Database DevOps
  • 🛠️Infrastructure as Code (IaC)
    • Terraform
      • Cloud Integrations - Provider-specific implementations
        • Azure Scenarios
          • Azure Authetication
            • Service Principal
            • Service Principal in block
            • Service Principal in env
        • AWS Scenarios
          • AWS Authentication
        • GCP Scenarios
          • GCP Authentication
      • Testing and Validation
        • Unit Testing
        • Integration Testing
        • End-to-End Testing
        • Terratest Guide
      • Best Practices
        • State Management
        • Security
        • Code Organization
        • Performance
      • Tools & Utilities - Enhancing the Terraform workflow
        • Terraform Docs
        • TFLint
        • Checkov
        • Terrascan
      • CI/CD Integration - Automating infrastructure deployment
        • GitHub Actions
        • Azure Pipelines
        • GitLab CI
    • Bicep
      • Getting Started - First steps with Bicep [BEGINNER]
      • Template Specs
      • Best Practices - Guidelines for effective Bicep implementations
      • Modules - Building reusable components [INTERMEDIATE]
      • Examples - Sample implementations for common scenarios
      • Advanced Features
      • CI/CD Integration - Automating Bicep deployments
        • GitHub Actions
        • Azure Pipelines
  • 💰Cost Management & FinOps
    • Cloud Cost Optimization
  • 🐳Containers & Orchestration
    • Containerization Overview
      • Docker
        • Dockerfile Best Practices
        • Docker Compose
      • Kubernetes
        • CLI Tools - Essential command-line utilities
          • Kubectl
          • Kubens
          • Kubectx
        • Core Concepts
        • Components
        • Best Practices
          • Pod Security
          • Security Monitoring
          • Resource Limits
        • Advanced Features - Beyond the basics [ADVANCED]
          • Service Mesh
            • Istio
            • Linkerd
          • Ingress Controllers
            • NGINX
            • Traefik
            • Kong
            • Gloo Edge
            • Contour
        • Tips
          • Status in Pods
          • Resource handling
          • Pod Troubleshooting Commands
        • Enterprise Architecture
        • Health Management
        • Security & Compliance
        • Virtual Clusters
      • OpenShift
  • Service Mesh & Networking
    • Service Mesh Implementation
  • Architecture Patterns
    • Data Mesh
    • Multi-Cloud Networking
    • Disaster Recovery
    • Chaos Engineering
  • Edge Computing
    • Implementation Guide
      • Serverless Edge
      • IoT Edge Patterns
      • Real-Time Processing
      • Edge AI/ML
      • Security Hardening
      • Observability Patterns
      • Network Optimization
      • Storage Patterns
  • 🚀CI/CD & Release Management
    • Continuous Integration
    • Continuous Delivery
      • Deployment Strategies
      • Secrets Management
      • Blue-Green Deployments
      • Deployment Metrics
      • Progressive Delivery
      • Release Management for DevOps/SRE (2025)
  • CI/CD Platforms
    • Tekton
      • Build and Push Container Images
      • Tekton on NixOS Setup
    • Flagger
    • Azure DevOps
      • Pipelines
        • Stages
        • Jobs
        • Steps
        • Templates - Reusable pipeline components
        • Extends
        • Service Connections - External service authentication
        • Best Practices for 2025
        • Agents and Runners
        • Third-Party Integrations
        • Azure DevOps CLI
      • Boards & Work Items
    • GitHub Actions
      • GitHub SecOps: DevSecOps Pipeline
    • GitLab
      • GitLab Runner
  • GitOps
    • GitOps Overview
      • Modern GitOps Practices
      • GitOps Patterns for Multi-Cloud (2025)
      • Flux
        • Progressive Delivery
        • Use GitOps with Flux, GitHub and AKS
  • Source Control
    • Source Control Overview
      • Git Branching Strategies
      • Component Versioning
      • Kubernetes Manifest Versioning
      • GitLab
      • Creating a Fork
      • Naming Branches
      • Pull Requests
      • Integrating LLMs into Source Control Workflows
  • ☁️Cloud Platforms
    • Cloud Strategy
      • AWS to Azure
      • Azure to AWS
      • GCP to Azure
      • AWS to GCP
      • GCP to AWS
    • Landing Zones in Public Clouds
      • AWS Landing Zone
      • GCP Landing Zone
      • Azure Landing Zones
    • Azure
      • Best Practices
        • Azure Best Practices Overview
        • Azure Architecture Best Practices
        • Azure Naming Standards
        • Azure Tags
        • Azure Security Best Practices
      • Services
        • Azure Active Directory (AAD)
        • Azure Monitor
        • Azure Key Vault
        • Azure Service Bus
        • Azure DNS
        • Azure App Service
        • Azure Batch
        • Azure Machine Learning
        • Azure OpenAI Service
        • Azure Cognitive Services
        • Azure Kubernetes Service (AKS)
        • Azure Databricks
        • Azure SQL Database
      • Monitoring
      • Administration Tools - Platform management interfaces
        • Azure PowerShell
        • Azure CLI
      • Tips & Tricks
    • AWS
      • Authentication
      • Best Practices
      • Tips & Tricks
      • Services
        • AWS IAM (Identity and Access Management)
        • Amazon CloudWatch
        • Amazon SNS (Simple Notification Service)
        • Amazon SQS (Simple Queue Service)
        • Amazon Route 53
        • AWS Elastic Beanstalk
        • AWS Batch
        • Amazon SageMaker
        • Amazon Bedrock
        • Amazon Comprehend
    • Google Cloud
      • Services
        • Cloud CDN
        • Cloud DNS
        • Cloud Load Balancing
        • Google Kubernetes Engine (GKE)
        • Cloud Run
        • Artifact Registry
        • Compute Engine
        • Cloud Functions
        • App Engine
        • Cloud Storage
        • Persistent Disk
        • Filestore
        • Cloud SQL
        • Cloud Spanner
        • Firestore
        • Bigtable
        • BigQuery
        • VPC (Virtual Private Cloud)
  • 🔐Security & Compliance
    • DevSecOps Overview
      • DevSecOps Pipeline Security
      • DevSecOps
        • Real-life Examples
        • Scanning & Protection - Automated security tooling
          • Dependency Scanning
          • Credential Scanning
          • Container Security Scanning
          • Static Code Analysis
            • Best Practices
            • Tool Integration Guide
            • Pipeline Configuration
        • CI/CD Security
        • Secrets Rotation
      • Supply Chain Security
        • SLSA Framework
        • Binary Authorization
        • Artifact Signing
      • Security Best Practices
        • Threat Modeling
        • Kubernetes Security
      • SecOps
      • Zero Trust Model
      • Cloud Compliance
        • ISO/IEC 27001:2022
        • ISO 22301:2019
        • PCI DSS
        • CSA STAR
      • Security Frameworks
      • SIEM and SOAR
  • Security Architecture
    • Zero Trust Implementation
      • Identity Management
      • Network Security
      • Access Control
  • 🔍Observability & Monitoring
    • Observability Fundamentals
  • 🧪Testing Strategies
    • Testing Overview
      • Modern Testing Approaches
      • End-to-End Testing
      • Unit Testing
      • Performance Testing
        • Load Testing
      • Fault Injection Testing
      • Integration Testing
      • Smoke Testing
  • 🤖AI Integration
    • AIops Overview
      • Workflow Automation
      • Predictive Analytics
      • Code Quality
  • 🧠AI & LLM Integration
    • Overview
      • Claude
        • Installation Guide
        • Project Guides
        • MCP Server Setup
        • LLM Comparison
      • Ollama
        • Installation Guide
        • Configuration
        • Models and Fine-tuning
        • DevOps Usage
        • Docker Setup
        • GPU Setup
        • Open WebUI
      • Copilot
        • Installation Guide
        • VS Code Integration
        • CLI Usage
      • Gemini
        • Installation Guides - Platform-specific setup
          • Linux Installation
          • WSL Installation
          • NixOS Installation
        • Gemini 2.5 Features
        • Roles and Agents
        • NotebookML Guide
        • Cloud Infrastructure Deployment
        • Summary
  • 💻Development Environment
    • DevOps Tools
      • Pulumi
      • Operating Systems - Development platforms
        • NixOS
          • Install NixOS: PC, Mac, WSL
          • Nix Language Deep Dive
          • Nix Language Fundamentals
            • Nix Functions and Techniques
            • Building Packages with Nix
            • NixOS Configuration Patterns
            • Flakes: The Future of Nix
          • NixOS Generators: Azure & QEMU
        • WSL2
          • Distributions
          • Terminal Setup
      • Editor Environments
      • CLI Tools
        • Azure CLI
        • PowerShell
        • Linux Commands
          • SSH - Secure Shell)
            • SSH Config
            • SSH Port Forwarding
        • Linux Fundametals
        • Cloud init
          • Cloud init examples
        • YAML Tools
          • How to create a k8s yaml file - How to create YAML config
          • YQ the tool
  • 📚Programming Languages
    • Python
    • Go
    • JavaScript/TypeScript
    • Java
    • Rust
  • Platform Engineering
    • Implementation Guide
  • FinOps
    • Implementation Guide
  • AIOps
    • LLMOps Guide
  • Should Learn
    • Should Learn
    • Linux
      • Commands
      • OS
      • Services
    • Terraform
    • Getting Started - Installation and initial setup [BEGINNER]
    • Cloud Integrations
    • Testing and Validation - Ensuring infrastructure quality
      • Unit Testing
      • Integration Testing
      • End-to-End Testing
      • Terratest Guide
    • Best Practices - Production-ready implementation strategies
      • State Management
      • Security
      • Code Organization
      • Performance
    • Tools & Utilities
    • CI/CD Integration
    • Bicep
    • Kubernetes
      • kubectl
    • Ansible
    • Puppet
    • Java
    • Rust
    • Azure CLI
  • 📖Documentation Best Practices
    • Documentation Strategy
      • Project Documentation
      • Release Notes
      • Static Sites
      • Documentation Templates
      • Real-World Examples
  • 📋Reference Materials
    • Glossary
    • Tool Comparison
    • Tool Decision Guides
    • Recommended Reading
    • Troubleshooting Guide
    • Development Setup
Powered by GitBook
On this page
  • Overview
  • Pipeline Security Controls
  • 1. Access Control & Authentication
  • 2. Secrets Management
  • Vault Integration Examples
  • 3. Container Security
  • Image Scanning Configuration
  • Base Image Security
  • 4. Code Security Scanning
  • GitHub Advanced Security
  • GitLab SAST
  • Azure DevOps Security Scanning
  • 5. Infrastructure Security
  • Terraform Security Scanning
  • Kubernetes Manifest Validation
  • Real-World Implementation Examples
  • E-Commerce Platform Pipeline
  • Best Practices Checklist
  • Monitoring & Alerting
  • Security Event Monitoring
  • Alert Configuration
  • References & Tools
Edit on GitHub
  1. Security & Compliance

DevSecOps Overview

Overview

This guide provides technical implementations for securing CI/CD pipelines across GitHub Actions, GitLab CI, and Azure DevOps, focusing on practical, real-world scenarios.

Pipeline Security Controls

1. Access Control & Authentication

GitHub Actions

# .github/workflows/secure-pipeline.yml
name: Secure Pipeline
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
  contents: read
  security-events: write
  actions: none
  
jobs:
  security-scan:
    runs-on: ubuntu-latest
    environment: production # Requires approval
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
          persist-credentials: false

GitLab CI

# .gitlab-ci.yml
workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      variables:
        SECURE_SCANNING: "true"

variables:
  SECURE_LOG_LEVEL: "debug"
  SCAN_KUBERNETES_MANIFESTS: "true"

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml

Azure DevOps

# azure-pipelines.yml
trigger:
  branches:
    include:
    - main
  paths:
    exclude:
    - docs/*

resources:
  repositories:
    - repository: security-policies
      type: git
      name: SecurityPolicies
      ref: refs/heads/main

pool:
  vmImage: 'ubuntu-latest'

variables:
- group: Production-Secrets

2. Secrets Management

Vault Integration Examples

GitHub Actions with HashiCorp Vault

jobs:
  fetch-secrets:
    runs-on: ubuntu-latest
    steps:
      - name: Vault Authentication
        uses: hashicorp/vault-action@v2
        with:
          url: ${{ secrets.VAULT_ADDR }}
          method: jwt
          role: github-action
          secrets: |
            secret/data/myapp/config token | APP_TOKEN ;
            secret/data/myapp/config key | API_KEY

GitLab CI with Vault

variables:
  VAULT_ADDR: "https://vault.example.com"
  
.vault-auth: &vault-auth
  before_script:
    - |
      VAULT_TOKEN=$(vault write -field=token auth/jwt/login \
        role=gitlab-ci \
        jwt=$CI_JOB_JWT)
      export VAULT_TOKEN

Azure DevOps with Key Vault

steps:
- task: AzureKeyVault@2
  inputs:
    azureSubscription: 'Production'
    KeyVaultName: 'myapp-kv'
    SecretsFilter: 'API-Key,DB-Password'
    RunAsPreJob: true

3. Container Security

Image Scanning Configuration

# Container scanning template
container_scan: &container_scan
  image: aquasec/trivy:latest
  script: |
    trivy image \
      --exit-code 1 \
      --severity HIGH,CRITICAL \
      --no-progress \
      ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}

Base Image Security

# Dockerfile security baseline
FROM alpine:3.18

# Set non-root user
RUN adduser -D -u 10001 appuser
USER appuser

# Metadata labels
LABEL org.opencontainers.image.vendor="Company Name" \
      org.opencontainers.image.title="Secure App" \
      org.opencontainers.image.security.policy="/security.txt"

4. Code Security Scanning

GitHub Advanced Security

jobs:
  codeql-analysis:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    
    steps:
    - uses: github/codeql-action/init@v2
      with:
        languages: javascript, python
        queries: security-extended
    
    - uses: github/codeql-action/analyze@v2
      with:
        category: "/language:javascript"

GitLab SAST

sast:
  variables:
    SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
    SCAN_KUBERNETES_MANIFESTS: "true"
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json

Azure DevOps Security Scanning

- task: WhiteSource@21
  inputs:
    cwd: '$(System.DefaultWorkingDirectory)'
    projectName: '$(Build.Repository.Name)'
    
- task: SecurityAnalysis@0
  inputs:
    scanType: 'full'
    verbosity: 'Detailed'

5. Infrastructure Security

Terraform Security Scanning

terraform_security:
  script:
    - |
      checkov -d . --framework terraform
      tfsec .
      terrascan scan -i terraform

Kubernetes Manifest Validation

k8s_security:
  script:
    - |
      kubesec scan k8s/*.yaml
      kube-score score k8s/*.yaml
      conftest test k8s/*.yaml

Real-World Implementation Examples

E-Commerce Platform Pipeline

# Multi-stage security pipeline
stages:
  - scan
  - build
  - test
  - deploy

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml

variables:
  SECURE_LOG_LEVEL: "debug"
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
  DS_EXCLUDED_PATHS: "test/*, spec/*"
  
sast:
  variables:
    SEARCH_MAX_DEPTH: 4
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

dependency_scanning:
  variables:
    DS_PYTHON_VERSION: 3
    DS_EXCLUDED_PATHS: "tests/"

container_scanning:
  variables:
    CS_SEVERITY_THRESHOLD: "Critical"

Best Practices Checklist

  1. Pipeline Configuration:

    • Use specific versions for actions/tasks

    • Implement least privilege access

    • Enable branch protection rules

    • Enforce code review policies

  2. Secret Management:

    • Use OIDC for cloud authentication

    • Rotate secrets automatically

    • Implement secret scanning

    • Use environment segregation

  3. Container Security:

    • Scan base images

    • Implement runtime security

    • Use minimal base images

    • Enable read-only root filesystem

  4. Compliance:

    • Implement audit logging

    • Enforce policy as code

    • Regular security assessments

    • Compliance report generation

Monitoring & Alerting

Security Event Monitoring

security_monitoring:
  script:
    - |
      # Export security metrics to Prometheus
      cat << EOF > /metrics/security.prom
      pipeline_security_score{stage="build"} $(security_score)
      pipeline_vulnerabilities_total{severity="critical"} $(vuln_count)
      EOF

Alert Configuration

# Alert manager configuration
alerts:
  rules:
    - alert: HighSeverityVulnerability
      expr: pipeline_vulnerabilities_total{severity="critical"} > 0
      for: 5m
      labels:
        severity: critical
      annotations:
        description: "Critical vulnerability detected in pipeline"

References & Tools

  1. Security Scanning:

    • Trivy

    • Snyk

    • Anchore

    • Clair

  2. Policy Enforcement:

    • OPA (Open Policy Agent)

    • Kyverno

    • Conftest

  3. Secret Management:

    • HashiCorp Vault

    • Azure Key Vault

    • AWS Secrets Manager

  4. Compliance:

    • Chef InSpec

    • OpenSCAP

    • Compliance as Code tools

PreviousVPC (Virtual Private Cloud)NextDevSecOps

Last updated 25 days ago

🔐