Skip to content

Instantly share code, notes, and snippets.

@oazabir

oazabir/DEVSECOPS.md

Last active September 17, 2025 08:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save oazabir/299153909cf26b3b503cccfd1068c102 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save oazabir/299153909cf26b3b503cccfd1068c102 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DEVSECOPS.md

DevSecOps Pipeline Checklist

Purpose: A practical, repo-ready checklist that mirrors the DevSecOps pipeline stages and their gates. Use it as your team’s working agreement.

Tip: Copy this file as DEVSECOPS_CHECKLIST.md in your repo. Create the PR template below at .github/pull_request_template.md.

How to use this checklist

  • Set your severity gates (e.g., block CRITICAL/HIGH), coverage target (e.g., 80% line / 70% branch), and exception SLA (≤ 30 days).
  • Assign Owners for each section (platform, security, app team).
  • Review quarterly and tighten gates as your signal:noise improves.

Org & Repo Foundations (one-time)

Setup

  • Branch protection on main (required reviews, required status checks, no force pushes).
  • CODEOWNERS, PR & issue templates; SECURITY.md with report process.
  • Enforce signed commits (GPG or Sigstore gitsign). Enable platform secret scanning + push protection.
  • CI/CD tokens least-privilege; prefer OIDC to cloud (no long-lived keys). Default tokens to read where possible.
  • Choose and document scanners & policies (SAST, SCA, IaC, container, DAST). Define vuln SLAs and exception flow with expiry.
  • Enable Renovate/Dependabot (app deps + base images).
  • SBOM format decided (CycloneDX/SPDX) + storage/retention.
  • Container registry with immutable tags + retention policy.
  • Release/tagging scheme (vX.Y.Z, sha-<12>).
  • Observability baseline: logs, metrics, traces, error tracking; SLOs & alerting.

Checks & Gates

  • Protections & CODEOWNERS enforced across repos.
  • Exceptions tracked with owner + expiry date.

1) Pre-commit (local & CI on PR)

Setup

  • pre-commit configured with formatters/linters (Black/ESLint/golangci-lint, etc.).
  • Secrets scanner hook (Gitleaks/truffleHog).
  • Block large binaries; use Git LFS policy if needed.
  • Conventional Commits (optional hook to validate).

Checks & Gates

  • Formatting & lint pass.
  • No secrets detected (hard fail).
  • No large binaries introduced unintentionally.
  • Commit messages follow convention (if enforced).

2) PR CI (SAST, SCA/SBOM, IaC, Tests, Image Build/Scan)

Setup

  • SAST: Semgrep and/or CodeQL configured; rulepacks tuned; fail on HIGH/CRITICAL (or custom policy).
  • SCA: OSV-Scanner/Dependency-Check enabled; set license allow/deny list; auto-PRs for updates.
  • SBOM: Syft to generate CycloneDX/SPDX; store as artifact.
  • IaC: Checkov/tfsec for Terraform; kube-linter/kubeconform/Conftest for K8s.
  • Tests & Coverage: tooling chosen (Jest/Pytest/go test); thresholds set in CI.
  • Container build: multi-stage; distroless/Chainguard base; non-root; drop capabilities; read-only FS; HEALTHCHECK present.
  • Image scanning: Trivy/Grype on PR image; fail on CRITICAL/HIGH (ignore-unfixed true if policy allows).
  • Upload SARIF to code scanning; enable PR annotations.

Checks & Gates

  • SAST: no new HIGH/CRITICAL (or approved, time-boxed exception).
  • SCA: no HIGH/CRITICAL; no disallowed licenses.
  • IaC: no critical misconfigs (public exposure, no encryption, bad network rules, etc.).
  • Unit tests pass; coverage ≥ target.
  • Image is minimal & non-root; capabilities minimized; read-only FS.
  • Image vulnerability scan passes policy.
  • SBOM generated & attached to CI artifacts.

Artifacts

  • Test & coverage reports; SAST/SCA/IaC SARIF; SBOM; PR image reference.

3) Ephemeral Preview (per-PR environment)

Setup

  • Per-PR namespace or preview env with TTL & auto teardown.
  • Minimal seeded data; no PII; safe migrations.
  • Secrets via External/Sealed Secrets (no inline secrets).
  • OWASP ZAP baseline config; exclude login endpoints if needed.
  • Preview URL posted as PR comment/status.

Checks & Gates

  • Smoke & integration tests pass against preview URL.
  • DAST baseline: no MEDIUM/HIGH.
  • Basic perf sanity (e.g., p95 latency within budget).
  • Optional: accessibility lint passes.

Artifacts

  • ZAP report; preview link; test logs.

Gate to Merge (summary)

  • No secrets introduced.
  • SAST/SCA/IaC gates pass (or approved exception with expiry).
  • Tests & coverage targets met.
  • Image scan passes policy.
  • DAST baseline passes.
  • Reviewer approvals complete.

4) Main Merge (rebuild, sign, attest)

Setup

  • Rebuild image from clean context on main (avoid cache poisoning).
  • Tagging: immutable digest, sha-<12>, latest, and semver on release.
  • Cosign keyless signing via OIDC; signatures pushed to registry.
  • Generate provenance (SLSA) + SBOM attestation; attach to image.
  • Deploy-side signature verification policy (Ratify/Connaisseur/Admission).

Checks & Gates

  • SBOM regenerated and stored; vulnerabilities rescanned on main image.
  • Image signed; signature & provenance verifiable.
  • Registry tags immutable; digest recorded in release notes.
  • Build metadata archived (who/what/when).

Artifacts

  • Signed image (by digest), SBOM, SLSA attestation, release notes.

5) Deploy via GitOps (staging → prod)

Setup

  • Separate manifests repo watched by Argo CD/Flux (cluster creds read-only).
  • Admission controls: Pod Security levels; OPA/Gatekeeper (non-root, capabilities, resource limits, labels, signature verify).
  • Progressive rollout: Argo Rollouts/Flagger; metrics provider (Prometheus/Datadog) + success criteria.
  • Secrets: External/Sealed Secrets; KMS CMK configured; rotation policy.
  • Networking: NetworkPolicies; TLS/mTLS; HSTS on ingress.
  • Resources & reliability: HPA, PDBs, requests/limits, quotas per namespace.
  • Pre-deploy validation: kubeconform/kubeval + kubectl diff --server-dry-run.
  • Environments: staging auto; prod requires manual approval (Environment gate).

Checks & Gates

  • Manifest PR references signed image digest (avoid latest).
  • Policy checks pass (OPA, signature, security contexts, limits present).
  • Staging healthy; promotion PR only when green.
  • Canary/blue-green meets metrics; auto-rollback on SLO breach.
  • Post-deploy smoke + active DAST run; results attached.

Artifacts

  • Deployment report (rollout, metrics, DAST) + changelog linked to commits.

6) Day-2 Security & Operations

Setup

  • Runtime detection (Falco) with rules for crypto-miners, shell spawns, namespace escapes.
  • CIS/Kube hardening: kube-bench; node OS patching cadence.
  • Continuous image rescans; ticketing integration for new vulns.
  • License compliance based on SBOM; allow/deny; third-party notices.
  • Backups for stateful services; restore drill runbooks; RPO/RTO.
  • Secrets rotation schedule; certificate expiry monitors.
  • Central audit logs; retention; access reviews; MFA/SSO enforced.
  • Incident response runbooks; on-call & paging; postmortem template.

Checks & Cadence

  • Weekly: vuln triage & exception expiry review.
  • Monthly: IAM/RBAC review; base image updates.
  • Quarterly: backup restore drill; threat-model refresh.
  • Continuous: alert tuning; SLO & error budget tracking.

Optional Tracks

Data & Privacy

Setup

  • Data classification & PII inventory.
  • Encryption: TLS1.2+ in transit; KMS at rest.
  • DLP & PII/secret lint in repos and logs.
  • Data retention & deletion workflows (per policy).

Checks

  • No PII in logs; scrubbing configured in APM.
  • Access to prod data gated, auditable, and time-boxed.

Team Ergonomics

Setup

  • Standard Makefile/tasks (make test, make build, make scan).
  • Fast local dev (containers/Dev Containers).
  • Flaky test quarantine process.

Checks

  • CI time budget met; healthy cache hit rate; no flakey tests on main.

Definition of Done (attach to PRs)

  • All security gates (SAST/SCA/IaC/Image, DAST baseline) green or exception approved with expiry.
  • Tests pass & coverage ≥ target; docs & changelog updated.
  • SBOM generated; image non-root; signed; provenance generated.
  • Preview link posted; reviewer approvals complete.

Slim PR Template (save as .github/pull_request_template.md)

## Summary
Describe the change and why.

## Issue
Closes #<id>

## Type of change
- [ ] Feature
- [ ] Bug fix
- [ ] Security hardening
- [ ] CI/CD only
- [ ] Docs

## Definition of Done
- [ ] SAST/SCA/IaC passed (or exception with expiry)
- [ ] Unit/integration tests passed; coverage ≥ target
- [ ] Container image non-root & scanned; no HIGH/CRITICAL
- [ ] SBOM attached to CI artifacts
- [ ] Preview URL posted; ZAP baseline no MEDIUM/HIGH
- [ ] Reviewed by code owner(s)

## Security/Privacy Impact
Any new endpoints, scopes, secrets, or data flows? If yes, note mitigations.

## Deployment Notes
Rollout plan (canary/blue-green), migrations, feature flags, rollback steps.

## Screenshots
(if UI)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment