Shift-left security embeds security testing at every stage of the software development lifecycle rather than treating it as a final gate. This article maps security controls to each CI/CD stage — from pre-commit hooks to production monitoring.
Sign in to mark this article as read and track your progress.
The traditional software delivery model placed security at the end: code was developed, tested for functionality, and then handed to a security team for a review before release. This model fails in cloud environments for two reasons:
"Shift left" means moving security controls earlier in the timeline — to the point where code is first written or committed — rather than waiting for a deployment gate.
A DevSecOps pipeline integrates security at every stage:
| Stage | Security Activity | Tooling Example |
|---|---|---|
| IDE / Pre-commit | SAST (static analysis) linting; secret scanning | SonarLint, git-secrets, detect-secrets |
| Pull Request | SAST on PR diff; dependency audit | SonarQube, Semgrep, npm audit, Dependabot |
| Build | Container image scan; SBOM generation | Trivy, Grype, Syft |
| Test | DAST against test environment; IaC scan | OWASP ZAP, Checkov, tfsec, Bridgecrew |
| Staging Deploy | Integration security tests; secrets detection in IaC | AWS Config, Terrascan |
| Production Deploy | Admission control (image signature check); policy enforcement | OPA Gatekeeper, Kyverno, Falco |
| Runtime | CWPP runtime monitoring; RASP | Falco, Datadog Security Agent |
Accidental credential commits to Git repositories are the most common misconfiguration leading to cloud breaches. A 2023 GitGuardian study found 10 million hardcoded secrets in public GitHub repositories.
Common accidental commits:
AKIA...)docker-compose.yml.env files committed without .gitignorePre-commit hook (detect-secrets):
# Install
pip install detect-secrets
# Initialise baseline (documents current known-good secrets in test fixtures, etc.)
detect-secrets scan > .secrets.baseline
# Install as pre-commit hook
# .pre-commit-config.yaml:
repos:
- repo: https://github.com/Yelp/detect-secrets
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
This hook prevents commits containing secrets from reaching the repository. It cannot protect against secrets that were committed before the hook was installed — run git-secrets --scan-history to audit historical commits.
Infrastructure as Code (IaC) — Terraform, CloudFormation, Bicep — defines cloud resources. An IaC misconfiguration is a production misconfiguration. Scan IaC before it is deployed:
Checkov (open source, by Bridgecrew/Palo Alto):
# Install
pip install checkov
# Scan a Terraform directory
checkov -d ./terraform/
# Scan a CloudFormation template
checkov -f template.yaml --framework cloudformation
# Output example:
# Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
# PASSED for resource: aws_s3_bucket.my-bucket
# Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access"
# FAILED for resource: aws_s3_bucket.public-bucket
tfsec and Terrascan provide similar functionality with different rule sets. Running these checks in the PR pipeline means a developer sees IaC security issues in the same review workflow as code review comments.
SAST (Static Application Security Testing) analyses source code without executing it. It catches:
Semgrep is the most widely used open-source SAST tool for cloud-native projects. Rules are written in YAML and can be customised:
semgrep --config "p/owasp-top-ten" --config "p/aws-lambda" ./src/
DAST (Dynamic Application Security Testing) tests a running application by sending malicious inputs and analysing responses. OWASP ZAP is the open-source standard. In a DevSecOps pipeline, DAST runs against the staging environment after deployment, before production promotion.
An SBOM is a machine-readable list of all components (libraries, frameworks, tools) in a software product. It enables:
Generate an SBOM with Syft:
syft myapp:latest -o spdx-json > sbom.json
Check SBOM against known CVEs with Grype:
grype sbom:sbom.json
The US Executive Order on Cybersecurity (May 2021) mandated SBOMs for all software sold to the US government. Indian government procurement guidelines are moving in the same direction — expect SBOM requirements in future MeitY procurement standards.
Open Policy Agent (OPA) is an open-source policy engine that allows security rules to be written as code and enforced at API boundaries. In Kubernetes, OPA Gatekeeper enforces admission policies:
# Deny deployment of containers running as root
deny[msg] {
input.request.kind.kind == "Pod"
input.request.object.spec.containers[_].securityContext.runAsUser == 0
msg := "Containers must not run as root (runAsUser=0)"
}
This policy prevents any pod from being deployed if it runs as root — a simple, enforceable control that catches a class of container security misconfiguration before it reaches production. The policy is stored in Git, reviewed like code, and applies to every deployment automatically.