DEVSECOPS

Shift Left Security in CI/CD Pipelines


#Devsecops

🔐 Shift Left Security in CI/CD Pipelines

When it comes to modern software development, integrating security early in the CI/CD pipeline—known as Shift Left Security—is no longer optional. Rather than treating security as an afterthought, we proactively build it into every stage of development and delivery.

Here’s how we implemented Shift Left Security in our CI/CD pipeline, step by step, using real tools and processes.

diagram-export-7-8-2025-7_56_30-PM

🧑‍💻 1. Local Checks – Pre-Commit & Pre-Push Hooks

Before code even reaches the repository, we enforce checks on the developer’s machine.

🔸 Pre-Commit Hook

  • Trigger: git commit
  • Check for: Secrets, API keys, tokens
  • Action: Block the commit if secrets are detected with clear error messages

Tools:

  • GitLeaks
  • Custom shell scripts (for specific patterns or formats)

🔸 Pre-Push Hook

  • Trigger: git push
  • Check for: Final secret scanning before pushing
  • Action: Prevent push if anything sensitive is found

Example Pre-Push Hook:

#!/bin/sh
echo "[Pre-Push] Running GitLeaks for secrets check..."
gitleaks detect --source . --exit-code 1
if [ $? -ne 0 ]; then
  echo "❌ Secrets detected. Push aborted."
  exit 1
fi
echo "✅ No secrets found. Proceeding with push."

🎯 Goal: Prevent secrets and sensitive data from ever reaching the repository.

🚀 2. Git Push Triggers CI Pipeline

Once code is pushed to GitHub/GitLab, our CI pipeline initiates.

a. 🔍 Secret Scanning (Again)

Even though it’s done locally, this is a safety net to catch anything missed.

Tools:

  • GitLeaks
  • TruffleHog (optional)

b. 📦 Software Composition Analysis (SCA)

Scan all dependencies for known vulnerabilities and license risks.

Tools:

🛠️ 3. Build, Test & SAST

a. ✅ Build & Test

  • Run unit tests
  • Code linting and quality checks

b. 🧠 Static Application Security Testing (SAST)

  • Analyze source code for security vulnerabilities

Tools:

📦 4. Docker Image Creation

  • Build the application into a Docker image
  • Use minimal base images and follow secure Dockerfile practices

🔍 5. Container Image Scanning

Scan the Docker image for:

  • Known vulnerabilities
  • Secrets embedded in layers
  • Misconfigurations

Tools:

  • Snyk Container
  • Trivy
  • Grype (optional)

📤 6. Push to Container Registry

If all scans pass, the image is pushed to:

  • DockerHub
  • Azure Container Registry (ACR)
  • AWS ECR / GCR

☸️ 7. Deployment

Deploy the application using:

  • Kubernetes
  • Helm
  • GitOps tools like ArgoCD or Flux

🕵️ 8. Dynamic Application Security Testing (DAST)

Post-deployment black-box scanning of the running application.

Tools:

  • OWASP ZAP
  • Burp Suite (Advanced)
  • Nuclei (optional)

🧩 9. Runtime Security

Monitor live apps for anomalies and unauthorized behavior.

Tools:

  • Falco
  • Sysdig
  • Kubernetes PSPs or Admission Controllers

🏁 Conclusion

Shift Left Security isn’t about burdening developers—it’s about empowering them to catch issues early. This automated, layered approach saves time, enhances security, and protects your application across its lifecycle.