Skip to main content

DevSecOps

What this guide covers

AI Covers how to enforce at the pipeline level that code produced by coding tools does not violate your organization's open source policies. This is a practical guide to building a company-wide DevSecOps system, including SBOM creation, vulnerability management, license governance, and continuous monitoring. It also explains how to link with the ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance) standard requirements.

AI Relationship to coding guide

If you applied Quick CI/CD first, learn more here

The Quick CI/CD of the AI Coding Guide aims to help developers create a basic gate in 30 minutes. This DevSecOps guide covers enterprise policy design, multi-repository management, and audit response. The two guides can be used independently, but we recommend reading them in the following order: AI Coding — 4-Step StrategyQuick CI/CD → DevSecOps.

Structure of this menu

PageContents coveredRecommended Readers
Introduction StrategyMaturity model/step-by-step roadmapTeam Lead/Architect
SASTStatic analysis — CodeQL·SemgrepDeveloper·DevOps
SCADependency Analysis — syft·grype·SBOMDevOps·Security Team
Secret DetectionPrevent key/token leakage — GitleaksDeveloper·DevOps
Container SecurityImage vulnerability — TrivyDevOps·Security Team
IaC SecurityInfrastructure Code Inspection — CheckovDevOps·SRE
DASTDynamic Analysis — OWASP ZAP·NucleiSecurity Team·QA
Pipeline DesignFull Integrated Design·GitHub ActionsDevOps Engineer
Monitoring·Automatic CorrectionContinuous scanning and automatic PR after deploymentDevOps·Security Team
ISO standard linkageISO/IEC 18974 Requirements MappingCompliance Manager

Where to start?

Starting point for each role
  • DevSecOps is the first → From Introduction Strategy
  • I want to catch code quality and security vulnerabilities at the code stage. → From SAST
  • I am concerned about open source dependency vulnerabilities. → From SCA
  • API Key/Token has been exposed to code → From Secret Detection
  • Running a container environment → From Container Security
  • ISO/IEC 18974 Preparing for certification → From ISO standard linkage (However, we recommend reading the SCA page first)