DevSecOps Pipeline Blueprint — 10 Steps

A production-ready CI/CD security pipeline blueprint with working GitHub Actions configuration for every stage. Written by Kenny Ogunlowo — a Senior Multi-Cloud DevSecOps Architect who has built pipeline security at enterprise scale across healthcare, defense, and energy sectors.Every line of code your team ships passes through the CI/CD pipeline. SolarWinds. Codecov. ua-parser-js. These supply chain attacks all exploited the pipeline. This blueprint embeds security into every stage — not as a bolt-on after the fact, but as a first-class deployment gate.10 Pipeline Security Steps Step 1 — Secret Detection: Gitleaks pre-commit hooks and CI enforcement with custom rule configuration Step 2 — Dependency Scanning (SCA): Trivy filesystem scanning plus GitHub Dependency Review for PRs, with license compliance checks Step 3 — Static Analysis (SAST): Semgrep with OWASP Top 10 and CWE Top 25 rulesets, plus custom rule authoring Step 4 — Unit Tests + Coverage Gate: Pytest with 80% minimum coverage threshold that blocks PRs Step 5 — Container Image Build: Secure Dockerfile patterns with digest pinning, non-root users, and multi-stage builds Step 6 — Container Scanning: Trivy image scanning for OS packages, language dependencies, and embedded secrets Step 7 — IaC Scanning: Checkov with 1,000+ built-in policies mapped to CIS Benchmarks, SOC 2, HIPAA, and PCI DSS Step 8 — DAST: ZAP baseline scanning against running application with custom rule configuration Step 9 — Deployment Gate: Policy decision point that aggregates all security signals into a binary deploy/block decision Step 10 — Runtime Monitoring: Falco runtime rules, SBOM generation with Syft, image signing with Cosign, and feedback loops Working Configuration IncludedEvery step includes copy-paste-ready YAML configuration for GitHub Actions, custom rule examples, and Dockerfile security patterns. The pipeline runs security scans in parallel for speed and uploads all findings to GitHub's Security tab in SARIF format.Metrics FrameworkTrack your DevSecOps maturity with six metrics: Mean Time to Detect (<1 hour target), Mean Time to Remediate (<24h critical), False Positive Rate (<5%), Pipeline Duration (<15 minutes), Test Coverage (>80%), and Deployment Frequency (no degradation).Download the complete blueprint — free, with no strings attached.