Designing a DevSecOps Pipeline: Security Gates That Don't Slow You Down
How to embed SAST, DAST, SCA, and container scanning into CI/CD without killing developer velocity.
Security teams want every vulnerability caught before production. Development teams want to ship fast. These goals are not mutually exclusive — but they require careful pipeline design. A poorly integrated security gate becomes a bottleneck that developers route around. A well-designed one becomes invisible infrastructure that catches real issues without adding friction.
Here is how we design DevSecOps pipelines for enterprise clients that balance security rigour with developer velocity.
The Core Principle: Fast Feedback, Late Enforcement
The single most important design decision is separating feedback from enforcement.
- Feedback should happen as early and as fast as possible — ideally in the developer's IDE or within seconds of a commit.
- Enforcement (blocking a merge or deployment) should happen at well-defined gates with clear, actionable output.
When you conflate these two, you get pipelines that block PRs for 20 minutes while a full DAST scan runs. Developers stop trusting the pipeline and start looking for workarounds.
Layer 1: Pre-Commit and IDE Integration
Security starts before code reaches the pipeline.
- Secret scanning with tools like gitleaks or truffleHog should run as a pre-commit hook. A leaked API key is exponentially cheaper to catch here than in production.
- Linting with security rules — ESLint security plugins, Semgrep, or Bandit (Python) can flag insecure patterns in real time.
- Keep pre-commit hooks under 10 seconds. Anything longer and developers will bypass them with
--no-verify.
Practical note: Do not rely solely on pre-commit hooks. They run on developer machines and can be skipped. Every check that runs locally must also run in CI as a backstop.
Layer 2: Pull Request Checks (The Fast Gate)
This is where you get the best return on investment. Every PR should trigger:
Static Application Security Testing (SAST)
- Tools: Semgrep, SonarQube, CodeQL (GitHub native), or Checkmarx.
- Run SAST on the diff only where possible, not the entire codebase. This keeps scan times under two minutes for most repositories.
- Configure severity thresholds: block on critical and high, warn on medium, ignore low in the PR gate. Developers stop reading findings when 90% are noise.
Software Composition Analysis (SCA)
- Tools: Snyk, Dependabot, Trivy (for lockfile scanning), or OWASP Dependency-Check.
- SCA scans your dependency tree for known CVEs. This is non-negotiable — supply chain attacks are the fastest-growing attack vector.
- Configure auto-fix PRs for patch-level updates. Manual triage only for major version bumps.
Secret Detection (CI Backstop)
- Run gitleaks or detect-secrets as a CI step, scanning the full diff.
- This catches secrets that slipped past the pre-commit hook (or were committed by someone who bypassed it).
- Block the PR immediately on any secret detection. There is no severity threshold here — a leaked secret is always critical.
Infrastructure-as-Code Scanning
- Tools: Checkov, tfsec, KICS.
- If the PR contains Terraform, Bicep, Dockerfiles, or Kubernetes manifests, scan them for misconfigurations.
- Focus on high-impact rules: public storage buckets, overly permissive IAM, unencrypted databases, containers running as root.
Layer 3: Build and Container Scanning
Once the code is merged and a container image is built:
Container Image Scanning
- Tools: Trivy, Grype, Snyk Container, or Microsoft Defender for Containers.
- Scan the built image, not just the Dockerfile. Base image vulnerabilities only surface after the build.
- Enforce a policy: no critical CVEs in production images. Give teams a defined remediation window (e.g., 72 hours) for high severity findings before blocking.
- Scan images in the registry on a scheduled basis, not just at build time. New CVEs are published daily against existing images.
SBOM Generation
- Generate a Software Bill of Materials (SBOM) for every production image using Syft or Trivy.
- Store SBOMs alongside the image in your registry. When a new zero-day drops, you need to know within minutes which running services are affected.
Layer 4: Pre-Deployment Gate (The Slow Gate)
This is the one gate where you can afford longer-running checks because it does not block developer flow — it blocks deployment.
Dynamic Application Security Testing (DAST)
- Tools: OWASP ZAP, Nuclei, Burp Suite Enterprise.
- Run DAST against a staging or preview environment, not in the PR pipeline. DAST scans take 10-30 minutes and require a running application.
- Start with an API scan (faster, more targeted) before adding full crawl-based scanning.
- Feed DAST results into the same dashboard as SAST/SCA findings so developers have one place to look.
Compliance-as-Code Checks
- Verify that deployment manifests meet compliance requirements: resource limits set, network policies present, pod security standards enforced.
- Tools: OPA/Gatekeeper, Kyverno, or custom admission webhooks.
- Map checks to specific compliance frameworks (SOC 2, ISO 27001, BSI C5) so audit evidence is generated automatically.
The Developer Experience Layer
None of the above matters if developers cannot act on the findings.
- Centralise results in a single dashboard (Snyk, DefectDojo, or a custom aggregation). Developers should not need to check five different tools.
- Provide fix guidance, not just vulnerability descriptions. "Update
lodashto 4.17.21" is actionable. "CVE-2021-23337 detected" is not. - Track mean time to remediation (MTTR) as a key metric. If MTTR is growing, your security gates are producing findings faster than teams can fix them — that is a process problem, not a tooling problem.
- Suppress false positives centrally and version the suppressions. Nothing erodes trust faster than repeatedly triaging the same false positive.
A Practical Pipeline Architecture
Here is a concrete pipeline layout we deploy for Azure DevOps and GitHub Actions environments:
| Stage | Tools | Runs When | Blocks |
|---|---|---|---|
| Pre-commit | gitleaks, Semgrep | Every commit (local) | Nothing (advisory) |
| PR checks | Semgrep, Snyk, Checkov, gitleaks | Every PR | Merge (on critical/high) |
| Build | Trivy image scan, Syft SBOM | Every merge to main | Release (on critical) |
| Pre-deploy | ZAP API scan, OPA policies | Before production deploy | Deployment |
| Runtime | Defender for Containers, Falco | Continuous | Alerts to SOC |
Avoiding Common Pitfalls
- Do not scan everything everywhere. DAST in a PR pipeline is waste. SAST in a nightly batch is too late.
- Do not enable every rule on day one. Start with critical severity only, build team confidence, then tighten.
- Do not treat security tooling as set-and-forget. Rules need tuning, suppressions need review, and thresholds need adjustment as the codebase matures.
The goal is not a pipeline that catches everything. It is a pipeline that catches the right things at the right time, with output that developers trust enough to act on.
Building a DevSecOps pipeline for your organisation? Talk to our team — we design and implement these across Azure, AWS, and hybrid environments.