Shift-left · CI/CD · SAST · SCA · IaC · DAST · Policy as code
DevSecOps security built into CI/CD
Security injected at every stage of the pipeline, not as a final audit. Pre-commit, build, test, deploy and runtime with automated controls, false positives kept under 15% and measurable governance. Two models: continuous programme or periodic audits.
Executive summary
Real DevSecOps is not "plug a scanner in at the end of the pipeline". It is embedding security at every stage of the cycle — from pre-commit to runtime — with automated controls, contained false positives and metrics visible to both security and development. The outcome: catch 80-90% of vulnerabilities before they reach production, cut the MTTR of critical findings from weeks to hours, and do not slow down the development team.
We work on your CI/CD stack (GitHub Actions, GitLab CI, Jenkins, Azure DevOps, etc.) without imposing tooling. Maturity diagnostic against OWASP SAMM, deployment of controls at every pipeline stage, continuous operation or point-in-time audits. Suitable to support ISO 27001:2022 (A.8.25-A.8.30), NIS2, DORA and PCI DSS v4 req. 6.
Measurable shift-left
We catch the problem while it still costs minutes to fix in pre-commit, not weeks in production. Trend: 80-90% of findings caught before prod.
Tool-agnostic
We work on the client's CI/CD stack. We recommend tools where needed, with no partner bias and no unnecessary licences.
Two contractual models
Continuous operation programme or periodic audits. Same team, same technical level, different ownership split.
The DevSecOps pipeline by stages
Six stages, each with its security controls injected, its gate and its target time. Controls must be fast (typically under 5 minutes) and useful (false positives kept low), or the team disables them in the first sprint.
Local commit (pre-commit hooks)
Before the commit even reaches the server: Gitleaks blocks secrets, formatting and linters run on the diff, and quick validations (10-30 seconds) stop trivial errors. First line of defence and the one that saves the team the most friction.
Build (SAST · SCA · secrets)
After PR push: SAST (Semgrep/SonarQube/CodeQL) analyses unsafe patterns, SCA (Snyk/OSV-Scanner/Trivy) reviews dependencies, secrets scanning over the full diff. Typical output in 3-5 minutes. Blocking only for critical; the rest is reported in the PR without blocking.
Test (IaC · images · baseline DAST)
IaC scanning with Checkov/tfsec/KICS over Terraform/CF/Bicep, container scanning with Trivy/Grype over the built images, baseline DAST (ZAP) if an endpoint is reachable. Output in 5-10 minutes. Blocking on high-severity findings and above.
Deploy (signing · admission policy)
Artefact signing with cosign/sigstore, SBOM generation (CycloneDX/SPDX) attached to the artefact, Kubernetes admission policies (Kyverno/OPA Gatekeeper) that validate signature, origin identity and pod configuration before admitting. Without a valid signature, no deployment happens.
Runtime (DAST · runtime · drift)
Full scheduled DAST against the deployed environment, runtime monitoring with Falco/Sysdig/EDR to detect anomalous behaviour, drift detection against the expected configuration. Critical findings trigger an alert + automated ticket to the owning team.
Feedback (metrics · learn · tune)
Dashboard with DORA + security metrics by team and service. Short weekly retro (15 min) between dev and sec to review trends. Monthly tuning of rules, suppressions and thresholds. The pipeline learns; false positives do not accumulate.
Indicative times for a mid-sized repository (30-80k LOC, single stack). In large monorepos times go up but parallelisation and caching compensate. Listed tools are common examples; we work on whatever the client uses.
DevSecOps maturity (OWASP SAMM)
We use OWASP SAMM (Software Assurance Maturity Model) as the framework. Four levels across five domains (Governance, Design, Implementation, Verification, Operations). Here we simplify it to the pipeline view.
Ad-hoc
Each team does what it can. Some manual scans before release. No automated controls in CI/CD. Findings arrive late and pile up in unprioritised backlogs.
Basic pipeline with SAST + SCA
SAST and SCA running in CI after commit. Blocking only on critical. Findings in PR, but with no clear triage process. High false positives. Dev team starts using it with friction.
Full pipeline with real shift-left
Pre-commit hooks + SAST + SCA + secrets + IaC + container scanning + baseline DAST. Tuned rules, FP <15%. DORA + security metrics. Culture: dev and sec talk daily. Suitable for a reasonable ISO/NIS2 auditor.
Adaptive pipeline + policy as code + chaos
All of the above + runtime admission policies, scheduled chaos testing, continuous threat modelling integrated into design, automated remediation for trivial cases, security metrics as a team objective (not only security's). Few mid-sized organisations live here sustainably.
Tech stack we automate
Table by category with the tools we use most often in real projects. Not exclusive: if your team works with another consolidated tool, we adapt the controls to it.
| Category | Common tools | Stage |
|---|---|---|
| CI/CD platform | GitHub Actions · GitLab CI · Jenkins · Azure DevOps · Bitbucket · CircleCI · ArgoCD | All |
| Pre-commit | pre-commit framework · Husky · lefthook · Gitleaks · TruffleHog | ① |
| SAST | Semgrep · SonarQube · CodeQL · Bandit · ESLint plugin:security | ② |
| SCA / dependencies | Snyk · OSV-Scanner · Trivy · Renovate · Dependabot | ② |
| Secrets scanning | Gitleaks · TruffleHog · Semgrep secrets · GitHub secret scanning | ① · ② |
| IaC scanning | Checkov · tfsec · KICS · Terrascan · Snyk IaC | ③ |
| Container / image | Trivy · Grype · Clair · Docker Scout | ③ |
| Kubernetes admission | Kyverno · OPA Gatekeeper · Pod Security Standards | ④ |
| Signing / SBOM | cosign · sigstore · syft (SBOM) · CycloneDX · SPDX | ④ |
| DAST | ZAP · Burp Suite Enterprise · Nuclei · w3af | ③ · ⑤ |
| Runtime / behaviour | Falco · Sysdig · existing EDR · CrowdStrike · SentinelOne | ⑤ |
| Centralised secrets | HashiCorp Vault · AWS Secrets Manager · Azure Key Vault · GCP Secret Manager | All |
| Policy as code | OPA · Kyverno · Conftest · Sentinel (HCP Terraform) | ③ · ④ |
| Metrics and dashboards | Grafana · Datadog · GitHub Insights · GitLab Value Stream · jq + scripts | ⑥ |
Two service models
The two usual ways to engage the service. Same Hard2bit team, same technical level, different ownership split and cadence.
Managed DevSecOps programme
Continuous operation
We take over operating the security pipeline: weekly finding triage, rule and threshold tuning, justified suppression of false positives, escalation to owning teams, monthly executive dashboard, quarterly review with the CISO or equivalent. When a new service enters, we onboard it to the flow. When a new critical CVE hits a common stack, we assess it in your context within hours, not weeks.
Fits when: small security team or no specific DevSecOps practice; sustained compliance; regulated sector; multiple development teams.
Cadence: daily operation + monthly reporting + quarterly review.
Commitment: 12 months with clear exit clauses.
Periodic DevSecOps audits
Scheduled audits
Full pipeline review every 3-6 months: are the controls still active? what drift has appeared? which findings were not closed? which tools are misconfigured or broken? what improvement opportunities exist? Delivery: technical report, executive report, prioritised roadmap, closing session with security and platform teams. Your team operates day-to-day.
Fits when: you have a capable team to operate; you want a periodic external view; regulatory requirement for independent review.
Cadence: quarterly or half-yearly audit by risk and obligation.
Commitment: fixed-scope project, optional annual retainer with N scheduled audits.
Before and after shift-left
Comparison of how team practice changes when the DevSecOps pipeline is well deployed and operated. Real anonymised patterns.
| Aspect | Before | After |
|---|---|---|
| Secrets in code | Detected in pentest 2-3 months post-release | Blocked pre-commit · automated rotation upfront |
| Vulnerable dependencies | Snyk runs weekly · alerts without owner · growing backlog | SCA in CI blocking critical · auto-PR with upgrade · owner per service |
| IaC configuration | Manual audit each release · 2 weeks | Checkov blocks PR · feedback in minutes · 100% coverage |
| Vulnerabilities in code | Annual pentest · backlog of 80+ unprioritised findings | SAST in CI · weekly triage · critical MTTR <48h |
| Unsigned deployments | Any image from the registry can be deployed | Only images signed with cosign + admission policy |
| Total commit→prod time (simple change) | 3-8 days with manual security approval steps | 2-6 hours · fully automated · clarified gates |
| False positives per sprint | 30-50 alerts the dev team ignores | <10 verified alerts · rules tuned monthly |
| Metrics visible to leadership | Few, annual, post-mortem | Monthly: vulns prevented, MTTR, % coverage, deploys/week |
| Dev ↔ sec relationship | Sec interrupts at release with blockers | Shared daily standup · shared backlog · common objectives |
When it fits and when it does not
Fits very well
When it is worth it
- Active development team with frequent releases (at least weekly)
- CI/CD already in use, even without consolidated security controls
- ISO 27001:2022 (A.8.25-A.8.30), NIS2, DORA or PCI DSS compliance
- Enterprise client asking for secure pipeline evidence as a commercial condition
- After an incident traced to a vulnerable dependency or leaked secret
- Modernisation: monolith to microservices, or going cloud-native
- Small security team that does not scale manually with development
Fits less well
When it is not the first move
- No real CI/CD: manual builds, manual deployments. Consolidate DevOps first
- Team in major refactor: the pipeline will change in weeks and the work becomes debt
- Product mostly built on third-party SaaS: a point-in-time code audit fits better
- Active unresolved incident: incident response first
- Development team openly hostile to security: cultural work needed first
Regulatory fit
| Framework | Reference | What it requires and how we cover it |
|---|---|---|
| ISO 27001:2022 | A.8.25 to A.8.30 | Full secure development block: planning, environment separation, secure configuration, testing, outsourcing. |
| PCI DSS v4.0.1 | Req. 6 in full | Secure system and software development and maintenance. SAST/SCA explicit in 6.2.3 and 6.2.4. |
| NIS2 | Art. 21.2.e + 21.2.f | Cyber hygiene + procedures to assess effectiveness of measures. Documented pipeline + metrics + periodic review. |
| DORA | Art. 9 + 24-27 | ICT risk management + digital resilience testing programme. Pipeline + DAST + optional chaos. |
| Executive Order 14028 (SBOM) | US federal mandate · NIS2 · DORA | SBOM in CycloneDX/SPDX attached to every artefact. Signing policy. |
| NIST SSDF | SP 800-218 | Secure Software Development Framework. Explicit reference framework for US government DevSecOps. |
| OWASP SAMM 2 | Assessment framework | Maturity model across 5 domains. We use it as our diagnostic reference. |
Adaptation by sector
B2B SaaS and software factory
Sweet spot: high release velocity, cloud-native, multi-tenant, enterprise clients asking for evidence. Focus on aggressive SAST/SCA, IaC scanning, public SBOM and artefact signing as a commercial differentiator.
Fintech and financial entities
DORA art. 9 + 24-27. PCI DSS req. 6 where payments are touched. Focus on full pipeline coverage, traceable evidence, reproducible audits. Typical pipeline: SAST + SCA + IaC + DAST + scheduled chaos engineering.
Healthtech
GDPR art. 9 (special category data). Focus on SAST with custom rules for clinical data, IaC scanning of PHI environments, DAST over HL7/FHIR endpoints, artefact signing for administrative audit.
Public sector and government services
ENS by categorisation. NIST SSDF as an additional reference if there is international relationship. Focus on reproducible pipeline, evidence for the administrative auditor, clear documentation for non-technical managers.
Retail and e-commerce
PCI DSS req. 6 where payments are touched. Focus on SAST/SCA over frontend (XSS, JS dependencies), IaC scanning of buckets/CDN, DAST over the payment flow. Typically JS/Node + monorepo pipelines.
Industry and OT with software component
Focus on firmware and associated backend. SBOM as a growing requirement for large buyers. Pipeline may be slower but more conservative: strict blocking on any finding of high severity or above.
Objections we hear and how we answer
«This will break the development pace»
Well deployed, the opposite: the team releases faster because it does not get stuck in end-of-cycle security reviews. The key is starting with blocking only on critical (secrets, critical deps) and tuning progressively. The first month is spent tuning rules so false positives drop below 15% before adding more controls.
«We already run Snyk/SonarQube/X, what do you bring?»
Having a tool running is not DevSecOps. We bring: integration into the team's natural flow (not standalone scans), rule tuning so findings become actionable, weekly triage, metrics visible to both dev and sec, and the operation that keeps the pipeline alive instead of degraded six months in.
«We have no dedicated security team»
The continuous model is designed exactly for that: we act as your external DevSecOps team. We operate the pipeline, do triage, tune rules, raise structural alerts and train your developers. If at some point you want to internalise it, we run an orderly handover.
«Our culture is not ready for this»
Without a minimum shared culture (dev and sec talking), DevSecOps fails. If we see in the walkthrough that friction is very high, we will say so honestly: cultural and process work first (talks, shared objectives, leadership-visible metrics), tooling afterwards. We do not impose a pipeline on a team that will sabotage it.
«Will licence costs explode?»
Depends on the stack. We work with free tooling whenever the case allows it (Semgrep open source, OSV-Scanner, Trivy, OpenSCAP, Checkov, ZAP, Falco, cosign, etc.). We only recommend commercial licences where they add clear value: enterprise clients with consolidated proprietary tooling, or use cases the free version does not cover. No partner bias.
«What if you build us the pipeline and then disappear?»
That is why the continuous model is transparent and reversible: the entire pipeline lives in your repositories, your tools, your cloud accounts. If you decide to stop, it keeps working. If you pick the periodic audits model, your team operates from day one; we review.
KPIs we track in a DevSecOps programme
Ten indicators: five tracked by security and five tracked by development + operations. Both sides see the same data on the same dashboard.
% vulnerabilities detected pre-prod
Master shift-left indicator. Target: 80-90% at 6 months of operation.
MTTR by severity
Mean time to remediate: <48h critical · <2 wk high · <4 wk medium. Downward trend.
% builds blocked by critical findings
Indicator of gate strictness. Target: <5% (higher = noise; zero = threshold too loose).
% secrets prevented in pre-commit
Versus detected after the fact. Target: >95% prevented. Without this, secrets live in repos for weeks.
Control coverage per service
% of services with SAST + SCA + IaC + DAST active. Target: 100% for production services.
Lead time to secure deploy
DORA metric + sec layer: total time from commit to production with all gates passed. Target: hours, not days.
Deploys per week
Classic DORA metric. Target: sustained rise or flat; a drop suggests pipeline friction.
Change failure rate
DORA metric. Target: <15%. Indicates whether the pipeline is catching enough before production.
Mean time to recover
DORA metric. Target: <1h. Indicates pipeline maturity for safe rollback + redeploy.
Dev satisfaction with sec
Short quarterly survey. Target: positive trend. If it drops, controls are badly tuned.
DevSecOps glossary
Shift-left
Moving security controls as far left in the pipeline as possible (pre-commit, build) to catch issues while they still cost minutes rather than weeks.
SAST
Static Application Security Testing. Static code analysis without executing it. Detects known unsafe patterns.
SCA
Software Composition Analysis. Analysis of third-party dependencies and libraries. Detects CVEs and licence issues.
DAST
Dynamic Application Security Testing. Dynamic analysis on the running app. Complementary to SAST.
SBOM
Software Bill of Materials. Inventory of software components. CycloneDX and SPDX are the standard formats.
Policy as code
Security rules expressed as code (Rego, Kyverno, etc.) automatically evaluated at every pipeline decision.
Admission policy
Policy that evaluates each deployment request in Kubernetes/cloud before admitting it. Blocks what does not meet criteria.
Cosign / sigstore
Open-source tool and project for signing artefacts (images, binaries) with verifiable identity, based on transparency.
OWASP SAMM
Software Assurance Maturity Model. OWASP framework to measure the maturity of the software security programme.
BSIMM
Building Security In Maturity Model. Alternative framework from Synopsys, based on empirical observation of real programmes.
False positive (FP)
Scanner finding that after analysis is not exploitable or does not apply. The FP rate determines whether the pipeline helps or hinders.
DORA metrics
The four key DevOps Research and Assessment metrics: deploys/week, lead time, change failure rate, MTTR. Usually combined with sec metrics.
Related services at Hard2bit
Source code security audit
Point-in-time expert audit. Regular coordination: audit finds, DevSecOps automates prevention.
View →
API security audit
DAST and API testing as part of the DevSecOps pipeline when the client has an exposed API.
View →
Web application audit
Complementary. Scheduled DAST in the pipeline + periodic manual audit.
View →
Non-human identities
Secrets management in CI/CD and workload federation are natural intersections with NHI.
View →
Systems hardening
Hardening of the nodes where the pipeline runs (runners, K8s, cloud) and IaC scanning.
View →
Cloud security
DevSecOps pipeline + cloud posture are two sides of modern cloud security.
View →
Third-party risk management
SBOM, SCA and dependencies are the intersection with supply chain risk.
View →
Attack surface management
Monitoring of public repositories, leaked secrets, post-release exposures.
View →
Pentesting
Pentesting validates that the pipeline actually closes what it commits to closing.
View →
Frequently asked questions
What is DevSecOps, and how is it different from DevOps with a scanner bolted on at the end?
DevOps + a scanner at the end is what many call DevSecOps in marketing, but it is not. Real DevSecOps means integrating security in every stage of the cycle: team culture (devs + ops + sec talking daily, sharing metrics and ownership), tooling embedded into the natural flow of work (not standalone audit scans), policy as code, control automation. A scanner at the end generates friction and gets ignored; a control properly integrated pre-commit, in PR and in the pipeline catches the issue while it still costs minutes to fix, not weeks.
What does your service actually do?
Three lines of work. Diagnostic: we measure current DevSecOps maturity against OWASP SAMM or BSIMM and return a prioritised roadmap. Implementation: we add controls at every pipeline stage (pre-commit hooks, SAST, SCA, secrets scanning, IaC scanning, DAST, container scanning, artefact signing, secrets management, policy as code). Operation: the team owns the flow, and we govern it: finding triage, rule tuning to reduce false positives, continuous improvement. Two contractual models: continuous operation programme or periodic point-in-time audits.
Which stack do you work on?
Whatever the client uses. CI/CD: GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines, CircleCI, ArgoCD. SAST/SCA/secrets: Semgrep, SonarQube, CodeQL, Snyk, OSV-Scanner, Trivy, Gitleaks, TruffleHog. IaC scanning: Checkov, tfsec, KICS, Terrascan. Container/K8s: Trivy, Grype, Falco, Kyverno, OPA Gatekeeper. DAST: ZAP, Burp Suite Enterprise, Nuclei. Signing and SBOM: cosign/sigstore, syft, CycloneDX, SPDX. Secrets management: Vault, AWS/Azure/GCP Secrets Manager, CyberArk. We do not impose tooling: we work with what the team already knows or whatever is closest to the stack.
Will this not slow development down?
Well implemented, the opposite: total delivery time goes down because problems are caught in minutes rather than weeks. Badly implemented it does slow things down, which is why the first month is spent tuning rules so false positives drop below the threshold the team tolerates (typically <15%), keeping blocking controls only on critical items (secrets, critical dependencies), and giving developers visibility and control over what runs when. The criterion: the average developer should never face an absurd alert.
How much does it cost and how long does it take?
A maturity diagnostic: 2-3 weeks, €6-12k. Initial implementation for a typical stack (1-3 repos, GitHub/GitLab Actions, main cloud): 6-12 weeks, 1-2 engineers, €24-60k. Large platforms with multiple languages, monorepos and several cloud environments take 12-24 weeks and €60-140k. Subsequent continuous operation is billed as a monthly subscription; periodic audits as fixed-scope projects. Before quoting we run an initial diagnostic to size the real scope.
Which metrics actually improve with DevSecOps?
Five tracked by the security team and another five tracked by development and operations. Security: % vulnerabilities detected pre-production, MTTR for vulnerabilities by severity, % builds blocked by critical findings, % secrets prevented vs detected after the fact, control coverage per service. Development/operations: lead time to secure deploy (total time from commit to approved production), deploys per week (classic DORA metric), change failure rate, mean time to recover, developer satisfaction with security controls (measured formally, not assumed).
How does it fit ISO 27001, NIS2, DORA and PCI DSS compliance?
It maps directly to the secure development management block. ISO 27001:2022 (A.8.25 to A.8.30) covers planning, environment separation, configuration and security testing in development. NIS2 art. 21.2.f requires policies and procedures to assess the effectiveness of measures. DORA art. 9 + 24-27 covers the testing and resilience programme. PCI DSS v4 req. 6 is entirely secure development and maintenance. What we deliver — documented pipeline, evidence of executed controls, finding management, measured continuous improvement — is exactly what every auditor asks for.
Do you work on our existing pipeline or build it from scratch?
On the existing one whenever viable. If you already have GitHub Actions/GitLab CI/Jenkins with consolidated flows, we add the controls within those flows without rewriting them. If the base is very weak (no real CI/CD, manual builds, manual deployments), we recommend consolidating the DevOps flow first and then layering Sec on top. We do not impose the CI/CD tool: we work with what the team will maintain after we leave.
What is the difference between continuous programme and periodic audits?
The continuous programme is for clients who want to treat DevSecOps as a living practice: we operate the flow, triage findings, tune rules, surface structural alerts, train the team. It delivers the best result in sustained maturity. Periodic audits are for clients with a capable team that prefers to own the operation and contract external reviews periodically (typically quarterly or half-yearly): the scope is to review the pipeline, identify drift, validate that controls remain active and operational, and deliver an executive report + improvement plan. Same Hard2bit team, same technical level, different contractual models.
How do we start a project with Hard2bit?
A 30-minute call to understand your stack, the moment (post-incident, regulatory requirement, modernisation, scale) and the model that fits. If it makes sense, a 1-2 hour technical walkthrough with a tech lead and a sysadmin/SRE. From there we issue a firm proposal in 48-72 hours: initial diagnostic, implementation scope, assigned team, deliverables and fixed price. If we see it makes sense to combine with a point-in-time code audit before deploying the pipeline, we will say so honestly.
DevSecOps pipeline or periodic audits?
30-minute call to place your current level, your stack and the model that fits. OWASP SAMM maturity diagnostic if it makes sense. Firm proposal in 48-72 hours. No commitments until signature.