Skip to content

glossary

DevSecOps

The practice of integrating security into every stage of the DevOps lifecycle, shifting security left with automated scanning, policy as code, and shared responsibility instead of a final security gate before release.

In depth

DevSecOps extends DevOps by making security a continuous, automated part of the delivery pipeline rather than a late-stage review. Instead of a security team auditing software just before release, security checks run automatically every time code changes: static analysis (SAST) on source code, software composition analysis (SCA) on dependencies, container image scanning, secrets detection, and dynamic testing (DAST) against running environments. Policies such as which base images are allowed or which vulnerabilities block a deploy are written as code and enforced by the pipeline. Developers get fast feedback in their pull requests, so vulnerabilities are fixed when they are cheapest to fix. Security engineers shift from gatekeepers to enablers who build guardrails, threat models, and tooling. The result is that security scales with delivery speed instead of slowing it down.

Why it matters

Fixing a vulnerability in production costs far more than fixing it in a pull request, and supply chain attacks have made automated dependency and artifact scanning essential. Regulators and customers increasingly demand evidence of secure development practices. DevSecOps skills let teams ship fast without accumulating security debt.

Real-world example

example.txt

A fintech team adds Trivy image scanning and GitLeaks secrets detection to their CI pipeline. A developer's pull request is blocked because a new dependency carries a critical CVE; the pipeline suggests a patched version, the developer bumps it, and the fix ships the same day, long before the code ever reaches production.

Tools related to DevSecOps

TrivySonarQubeSnykOWASP ZAPHashiCorp VaultCheckov

Interview questions

  1. What does 'shift left' mean in security and how do you implement it?
  2. Compare SAST, DAST, and SCA. Where does each fit in a pipeline?
  3. How would you handle secrets in a CI/CD pipeline?
  4. What is software supply chain security and what is an SBOM?
  5. How do you prevent vulnerable container images from reaching production?
  6. Describe how you would roll out security scanning without blocking developer velocity.