DevSecOps
This section is an optional stage that automatically applies the policies built in Governance to your code and CI pipeline. If self-certification against the standards is your goal, finish the governance setup first. If you have a development team, this is where you enforce those policies in day-to-day development.
What this guide covers
Covers how to enforce, at the pipeline level, that code generated by AI coding tools does not violate your organization's open source policies. This is a practical guide to building a company-wide DevSecOps system that spans SBOM generation, vulnerability management, license governance, and continuous monitoring. It also explains how to align with the requirements of the ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance) standards.
Relationship to the AI Coding guide
The Quick CI/CD of the AI Coding guide aims to help developers create a basic gate in 30 minutes. This DevSecOps guide builds on that to cover company-wide policy design, multi-repository management, and audit response. The two guides can be used independently, but we recommend reading them in the following order: AI Coding — 4-Step Strategy → Quick CI/CD → DevSecOps.
Structure of this menu
| Page | Contents covered | Recommended Readers |
|---|---|---|
| Introduction Strategy | Maturity model · step-by-step roadmap | Team Lead · Architect |
| SAST | Static analysis — CodeQL · Semgrep | Developer · DevOps |
| SCA | Dependency analysis — syft · grype · SBOM | DevOps · Security Team |
| Secret Detection | Prevent key/token leakage — Gitleaks | Developer · DevOps |
| Container Security | Image vulnerabilities — Trivy | DevOps · Security Team |
| IaC Security | Infrastructure-as-code inspection — Checkov | DevOps · SRE |
| DAST | Dynamic analysis — OWASP ZAP · Nuclei | Security Team · QA |
| Pipeline Design | Full integrated design · GitHub Actions | DevOps Engineer |
| Monitoring · Auto-Remediation | Continuous post-deployment scanning · automatic PRs | DevOps · Security Team |
| ISO Standard Mapping | ISO/IEC 18974 requirements mapping | Compliance Manager |
Where to start?
- New to DevSecOps → Start with Introduction Strategy
- Want to catch code quality and security vulnerabilities at the code stage → Start with SAST
- Concerned about open source dependency vulnerabilities → Start with SCA
- An API key or token has been exposed in code → Start with Secret Detection
- Running a container environment → Start with Container Security
- Preparing for ISO/IEC 18974 certification → Start with ISO Standard Mapping (we recommend reading the SCA page first)
See also
- To build a standards-based management system from the ground up, see the Open Source Management Guide.
- To apply policies to AI coding tools (Cursor, Copilot, Claude Code, etc.), see AI Coding Governance.