100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

DevSecOps Basics Cheat Sheet

DevSecOps Basics Cheat Sheet

Shift-left security practices, pipeline scanning stages, and tooling for embedding security checks into CI/CD workflows.

2 PagesIntermediateMay 21, 2026

Security Gates in a CI Pipeline

Shift-left scanning stages wired into a GitHub Actions workflow.

yaml
jobs:  security:    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v4      # SAST - scan source for vulnerable patterns      - name: Semgrep SAST        run: semgrep ci --config auto      # SCA - scan dependencies for known CVEs      - name: Dependency scan        run: npm audit --audit-level=high      # Secret scanning      - name: Gitleaks        run: gitleaks detect --source . --exit-code 1      # Container image scan (after build)      - name: Trivy image scan        run: trivy image --exit-code 1 --severity HIGH,CRITICAL my-app:${{ github.sha }}

Infrastructure-as-Code Scanning

Catch misconfigured cloud resources before they're ever applied.

bash
# Scan Terraform for misconfigurations before plan/applycheckov -d ./terraform --framework terraform --compact# Alternative: tfsec, focused purely on Terraformtfsec ./terraform

Shift-Left Stages

Where each class of security check belongs in the SDLC.

  • IDE / pre-commit- linting, secret detection, dependency version checks
  • SAST- static analysis of source code for vulnerable patterns
  • SCA- scan third-party dependencies for known CVEs and license issues
  • IaC scanning- Terraform/CloudFormation misconfig checks before apply
  • Container scanning- image CVE scan post-build, pre-push to registry
  • DAST- dynamic scan against a running staging environment
  • Runtime/CSPM- continuous posture monitoring in production
Pro Tip

Start every DevSecOps rollout by making scanners advisory (warn, don't fail the build) for the first few weeks — flipping straight to hard-fail floods teams with pre-existing findings and gets the pipeline disabled instead of fixed.

Was this cheat sheet helpful?

Explore Topics

#DevSecOpsBasics#DevSecOpsBasicsCheatSheet#Cybersecurity#Intermediate#SecurityGatesInACIPipeline#InfrastructureAsCodeScanning#ShiftLeftStages#Shift#Security#DevOps#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet