cd ../projects
DevSecOps / Security

🛡️DevSecOps Pipeline Blueprint

Trivy + Snyk + OPA security gates in CI/CD

GitHub
Azure DevOpsGitLab CITrivySnykOPACheckovtfsecDockerSARIF

OVERVIEW

Reference implementation for shift-left security in Azure DevOps and GitLab CI — integrating container scanning (Trivy), dependency auditing (Snyk), IaC security (Checkov), and policy enforcement (OPA/Conftest) at every pipeline stage.

ARCHITECTURE

// mermaid architecture diagram
graph LR
  CODE[Code Commit] --> SAST[SAST Scan]
  SAST --> SCA[Dependency Scan - Snyk]
  SCA --> BUILD[Docker Build]
  BUILD --> TRIVY[Trivy Container Scan]
  TRIVY --> IAC[IaC Scan - Checkov/tfsec]
  IAC --> OPA[OPA Policy Gate]
  OPA --> STAGING[Deploy Staging]
  STAGING --> DAST[DAST - OWASP ZAP]
  DAST --> PROD[Deploy Production]

💡 Render with mermaid.live for interactive diagram

KEY HIGHLIGHTS

  • Fail-fast on HIGH/CRITICAL CVEs with Trivy in pre-build stage
  • Snyk SCA with license compliance enforcement
  • OPA Conftest policies for Kubernetes admission control
  • SARIF report publishing to Azure DevOps Security tab
  • Automated JIRA ticket creation for unresolved vulnerabilities

METRICS

100% container images scanned pre-deploy
CVE blocking on HIGH/CRITICAL
IaC policy as code for 50+ rules
SARIF reports in Azure DevOps

TECH STACK

Azure DevOpsGitLab CITrivySnykOPACheckovtfsecDockerSARIF

SOURCE CODE

suhail39ahmed/devsecops-pipeline-blueprint
Back to all projects