Competencies: DevSecOps > Pipeline Security

Pipeline Security

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Repository Security	Branch protection, commit signing (GPG), CODEOWNERS, access controls, audit logs.	Critical	DevSecOps, Platform Engineer
Secret Scanning	gitleaks, truffleHog, git-secrets, pre-commit hooks, GitHub secret scanning, remediation.	Critical	DevSecOps, Security Engineer
CI/CD Pipeline Hardening	Least privilege, ephemeral credentials, OIDC, runner security, audit logging, artifact signing.	Critical	DevSecOps, Platform Engineer
SAST Integration	SonarQube, Semgrep, CodeQL, Bandit, security gates, false positive management.	High	DevSecOps, Application Security
DAST Integration	OWASP ZAP, Burp Suite CI, authenticated scanning, API scanning, dynamic testing.	High	DevSecOps, Application Security
Container Scanning in CI	Trivy, Grype, image scanning in pipelines, vulnerability thresholds, registry scanning.	High	DevSecOps, Platform Engineer
IaC Security Scanning	Checkov, tfsec, KICS, terraform-compliance, pre-commit for Terraform, Kubernetes manifests.	High	DevSecOps, Platform Engineer
Pre-commit Hooks	pre-commit framework, security hooks, linting, formatting, secret detection, local enforcement.	High	DevSecOps, Developer
Protected Environments	Environment approvals, deployment gates, production protections, rollback capabilities.	High	DevSecOps, Platform Engineer
Pipeline Observability	Build metrics, security findings dashboards, trend analysis, SLA tracking.	Medium	DevSecOps, Platform Engineer

Topic

Description

Relevance

Career Tracks

Repository Security

Branch protection, commit signing (GPG), CODEOWNERS, access controls, audit logs.

Critical

DevSecOps, Platform Engineer

Secret Scanning

gitleaks, truffleHog, git-secrets, pre-commit hooks, GitHub secret scanning, remediation.

Critical

DevSecOps, Security Engineer

CI/CD Pipeline Hardening

Least privilege, ephemeral credentials, OIDC, runner security, audit logging, artifact signing.

Critical

DevSecOps, Platform Engineer

SAST Integration

SonarQube, Semgrep, CodeQL, Bandit, security gates, false positive management.

High

DevSecOps, Application Security

DAST Integration

OWASP ZAP, Burp Suite CI, authenticated scanning, API scanning, dynamic testing.

High

DevSecOps, Application Security

Container Scanning in CI

Trivy, Grype, image scanning in pipelines, vulnerability thresholds, registry scanning.

High

DevSecOps, Platform Engineer

IaC Security Scanning

Checkov, tfsec, KICS, terraform-compliance, pre-commit for Terraform, Kubernetes manifests.

High

DevSecOps, Platform Engineer

Pre-commit Hooks

pre-commit framework, security hooks, linting, formatting, secret detection, local enforcement.

High

DevSecOps, Developer

Protected Environments

Environment approvals, deployment gates, production protections, rollback capabilities.

High

DevSecOps, Platform Engineer

Pipeline Observability

Build metrics, security findings dashboards, trend analysis, SLA tracking.

Medium

DevSecOps, Platform Engineer

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
Repository Security (.gitignore Security)	Intermediate	Systematic .gitignore patterns for secrets, credentials, environment files across all repositories; pre-commit awareness for secret detection	Git Security Reference	No pre-commit hooks for secret scanning (detect-secrets, gitleaks), no git-secrets
CI/CD Pipeline Hardening	—	—	—	No hands-on experience with enterprise CI/CD security
SAST/DAST Integration	—	—	—	No SAST/DAST tooling implementation

Topic

Level

Evidence

Active Projects

Gaps

Repository Security (.gitignore Security)

Intermediate

Systematic .gitignore patterns for secrets, credentials, environment files across all repositories; pre-commit awareness for secret detection

Git Security Reference

No pre-commit hooks for secret scanning (detect-secrets, gitleaks), no git-secrets

CI/CD Pipeline Hardening

—

No hands-on experience with enterprise CI/CD security

SAST/DAST Integration

—

No SAST/DAST tooling implementation