DevSecOps Pipeline
Six security gates between a commit and production.
A production-ready DevSecOps pipeline with six automated security gates that block deployment on any failure — secrets, SAST, dependencies, policy, container vulns and SBOM — all wired into GitHub Actions with Slack alerts.
The problem
Security bolted on at the end is security skipped. Secrets leak, vulnerable dependencies ship, and misconfigured manifests reach production because nothing stops them in the pipeline.
Our approach
Shift everything left and make it blocking. Each commit runs six gates in sequence — any failure fails the build before an image is ever pushed. Policy-as-code (OPA) checks Dockerfile, Kubernetes and Terraform, and a Syft SBOM ships with every release.
What we built
- Gate 1 — Gitleaks secret scanning
- Gates 2–3 — Semgrep SAST + pip-audit deps
- Gate 4 — OPA/Rego policy on IaC & manifests
- Gate 5 — Trivy container scan (blocks CRITICAL/HIGH)
- Gate 6 — Syft SBOM (SPDX + CycloneDX)
- Blocking gates + Slack alerting in GitHub Actions
Shipped
The outcome
Nothing reaches production without clearing all six gates first.
Read the code.
Sourcegithub.com/dhanikaa/devsecops-pipeline