EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityDevSecOpsshift-leftSAST

DevSecOps & Shift-Left Security in Cloud CI/CD Pipelines

Shift-left security embeds security testing at every stage of the software development lifecycle rather than treating it as a final gate. This article maps security controls to each CI/CD stage — from pre-commit hooks to production monitoring.

Ashish Revar3 July 202620 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

OWASP DevSecOps Guideline

OWASP comprehensive guide to integrating security into DevOps pipelines.

Checkov IaC Security Scanner

Checkov documentation for scanning Terraform, CloudFormation, Kubernetes, and ARM templates.

NIST SP 800-204C: Implementation of DevSecOps

NIST guidance on implementing DevSecOps for cloud-native microservices applications.

Sigstore Cosign Container Image Signing

Cosign documentation for keyless container image signing in CI/CD pipelines.

More articlesTest your knowledge

What "Shift Left" Means

The traditional software delivery model placed security at the end: code was developed, tested for functionality, and then handed to a security team for a review before release. This model fails in cloud environments for two reasons:

  1. Velocity: Cloud-native teams deploy tens or hundreds of times per day. A security review gate before each deployment is operationally impossible.
  2. Cost of late discovery: A vulnerability found in design costs 10× less to fix than one found in code, 100× less than one in testing, and 1,000× less than one in production (NIST Security Economics study, 2002 — the ratio has worsened, not improved, with cloud complexity).

"Shift left" means moving security controls earlier in the timeline — to the point where code is first written or committed — rather than waiting for a deployment gate.

The DevSecOps Pipeline

A DevSecOps pipeline integrates security at every stage:

StageSecurity ActivityTooling Example
IDE / Pre-commitSAST (static analysis) linting; secret scanningSonarLint, git-secrets, detect-secrets
Pull RequestSAST on PR diff; dependency auditSonarQube, Semgrep, npm audit, Dependabot
BuildContainer image scan; SBOM generationTrivy, Grype, Syft
TestDAST against test environment; IaC scanOWASP ZAP, Checkov, tfsec, Bridgecrew
Staging DeployIntegration security tests; secrets detection in IaCAWS Config, Terrascan
Production DeployAdmission control (image signature check); policy enforcementOPA Gatekeeper, Kyverno, Falco
RuntimeCWPP runtime monitoring; RASPFalco, Datadog Security Agent

Secret Detection: The Most Urgent Shift-Left Control

Accidental credential commits to Git repositories are the most common misconfiguration leading to cloud breaches. A 2023 GitGuardian study found 10 million hardcoded secrets in public GitHub repositories.

Common accidental commits:

  • AWS access keys (AKIA...)
  • Database passwords in docker-compose.yml
  • API tokens in .env files committed without .gitignore
  • Google Service Account JSON files

Pre-commit hook (detect-secrets):

# Install
pip install detect-secrets

# Initialise baseline (documents current known-good secrets in test fixtures, etc.)
detect-secrets scan > .secrets.baseline

# Install as pre-commit hook
# .pre-commit-config.yaml:
repos:
  - repo: https://github.com/Yelp/detect-secrets
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

This hook prevents commits containing secrets from reaching the repository. It cannot protect against secrets that were committed before the hook was installed — run git-secrets --scan-history to audit historical commits.

Infrastructure-as-Code Security Scanning

Infrastructure as Code (IaC) — Terraform, CloudFormation, Bicep — defines cloud resources. An IaC misconfiguration is a production misconfiguration. Scan IaC before it is deployed:

Checkov (open source, by Bridgecrew/Palo Alto):

# Install
pip install checkov

# Scan a Terraform directory
checkov -d ./terraform/

# Scan a CloudFormation template
checkov -f template.yaml --framework cloudformation

# Output example:
# Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
# PASSED for resource: aws_s3_bucket.my-bucket
# Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access"
# FAILED for resource: aws_s3_bucket.public-bucket

tfsec and Terrascan provide similar functionality with different rule sets. Running these checks in the PR pipeline means a developer sees IaC security issues in the same review workflow as code review comments.

SAST and DAST

SAST (Static Application Security Testing) analyses source code without executing it. It catches:

  • SQL injection patterns (string concatenation in SQL queries)
  • Hardcoded credentials
  • Insecure deserialization
  • Missing authentication checks (OWASP Top 10 A01, A02, A03)

Semgrep is the most widely used open-source SAST tool for cloud-native projects. Rules are written in YAML and can be customised:

semgrep --config "p/owasp-top-ten" --config "p/aws-lambda" ./src/

DAST (Dynamic Application Security Testing) tests a running application by sending malicious inputs and analysing responses. OWASP ZAP is the open-source standard. In a DevSecOps pipeline, DAST runs against the staging environment after deployment, before production promotion.

Software Bill of Materials (SBOM)

An SBOM is a machine-readable list of all components (libraries, frameworks, tools) in a software product. It enables:

  • Rapid identification of vulnerable components when a new CVE is announced
  • Licence compliance review (GPL, LGPL, MIT)
  • Supply chain audits for regulatory compliance

Generate an SBOM with Syft:

syft myapp:latest -o spdx-json > sbom.json

Check SBOM against known CVEs with Grype:

grype sbom:sbom.json

The US Executive Order on Cybersecurity (May 2021) mandated SBOMs for all software sold to the US government. Indian government procurement guidelines are moving in the same direction — expect SBOM requirements in future MeitY procurement standards.

Security as Code: OPA and Policy-as-Code

Open Policy Agent (OPA) is an open-source policy engine that allows security rules to be written as code and enforced at API boundaries. In Kubernetes, OPA Gatekeeper enforces admission policies:

# Deny deployment of containers running as root
deny[msg] {
  input.request.kind.kind == "Pod"
  input.request.object.spec.containers[_].securityContext.runAsUser == 0
  msg := "Containers must not run as root (runAsUser=0)"
}

This policy prevents any pod from being deployed if it runs as root — a simple, enforceable control that catches a class of container security misconfiguration before it reaches production. The policy is stored in Git, reviewed like code, and applies to every deployment automatically.