--- id: wiki-2026-0508-devsecops-framework title: DevSecOps Framework category: 10_Wiki/Topics status: verified canonical_id: self aliases: [DevSecOps, Shift-Left Security, Secure SDLC] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [devsecops, security, shift-left, sdlc] raw_sources: [] last_reinforced: 2026-05-10 github_commit: applied tech_stack: language: YAML/Python framework: GitHub Actions/Semgrep/Trivy --- # DevSecOps Framework ## 매 한 줄 > **"매 security 가 PR 단계부터 매일 실행되는 자동 체크가 되는 것."**. DevSecOps 는 매 plan-code-build-test-release-deploy-operate-monitor 8단계 의 매 step 마다 security control 을 embed 하는 매 shift-left framework. 2026 표준: SAST + SCA + IaC scan + secret scan + DAST + RASP + supply-chain (SLSA L3) + ASPM platform. ## 매 핵심 ### 매 8-Stage Embed 1. **Plan**: threat model (STRIDE), security stories. 2. **Code**: IDE plugin (Semgrep, SonarLint), pre-commit (lint-staged + secret). 3. **Build**: SBOM (Syft), reproducible build, sign (cosign). 4. **Test**: SAST (Semgrep, CodeQL), SCA (Trivy, Snyk), IaC (Checkov). 5. **Release**: provenance (SLSA), policy (OPA gatekeeper). 6. **Deploy**: admission control, signed image verify, secrets via Vault. 7. **Operate**: RASP, WAF, runtime detection (Falco). 8. **Monitor**: SIEM (Splunk), anomaly detection, incident response. ### 매 Tool Categories 2026 - **SAST**: Semgrep, CodeQL, Snyk Code. - **SCA**: Trivy, Snyk Open Source, Dependabot. - **DAST**: ZAP, Burp, Nuclei. - **IaC**: Checkov, tfsec, KICS. - **Secret scan**: gitleaks, TruffleHog. - **Container**: Trivy, Grype. - **K8s**: kube-bench, Falco, Kyverno. - **ASPM**: Phoenix, Apiiro, ArmorCode — aggregate + prioritize. ### 매 응용 1. Web app secure SDLC. 2. K8s cluster hardening. 3. Cloud infra (Terraform/Pulumi) compliance. 4. Container registry policy. 5. Supply-chain integrity (SLSA L3). ## 💻 패턴 ### GitHub Actions DevSecOps gate ```yaml name: secure-pr on: pull_request permissions: { contents: read, security-events: write, id-token: write } jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: gitleaks/gitleaks-action@v2 # 매 secrets - uses: returntocorp/semgrep-action@v1 # 매 SAST with: { config: 'p/owasp-top-ten p/security-audit' } - uses: aquasecurity/trivy-action@master # 매 SCA + container with: { scan-type: fs, severity: 'CRITICAL,HIGH', exit-code: 1 } - uses: bridgecrewio/checkov-action@master # 매 IaC ``` ### Pre-commit secret scan ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: [{ id: gitleaks }] ``` ### OPA admission policy (K8s) ```rego package k8s.image violation[{"msg": msg}] { input.review.object.spec.containers[_].image not startswith(input.review.object.spec.containers[_].image, "ghcr.io/myorg/") msg := "image must come from approved registry" } ``` ### Cosign verify in admission ```yaml apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy spec: images: [{ glob: "ghcr.io/myorg/**" }] authorities: - keyless: identities: [{ issuer: "https://token.actions.githubusercontent.com", subject: ".*myorg/.*" }] ``` ### Falco runtime detection rule ```yaml - rule: Shell in container desc: Detect shell exec inside container condition: container.id != host and proc.name in (bash, sh, zsh) output: "Shell %proc.name in container=%container.name image=%container.image.repository" priority: WARNING ``` ### SBOM + provenance attest ```bash syft packages oci:./image.tar -o spdx-json > sbom.spdx.json cosign attest --predicate sbom.spdx.json --type spdx ghcr.io/org/app@sha256:... ``` ## 매 결정 기준 | 상황 | Tool stack | |---|---| | TS/Python monorepo | Semgrep + Trivy + gitleaks | | Terraform cloud infra | Checkov + tfsec | | K8s cluster | Falco + Kyverno + cosign | | Compliance heavy | ASPM platform (Phoenix/Apiiro) | | Air-gapped / regulated | Semgrep self-host + Trivy DB mirror | **기본값**: 매 Semgrep + Trivy + gitleaks + Checkov + cosign + Falco. ## 🔗 Graph - 부모: [[보안 및 시스템 신뢰성 표준|OWASP Top 10]] · [[안전한 소프트웨어 개발 수명주기(SSDLC)]] - 변형: [[애플리케이션_보안_태세_관리ASPM]] - 응용: [[SAST]] · [[보안 및 시스템 신뢰성 표준|DAST]] · [[SCA_Fundamentals|SCA]] · [[Secret_Management]] - Adjacent: [[보안 및 시스템 신뢰성 표준|Zero-Trust Architecture]] · [[CI_CD_Pipeline]] ## 🤖 LLM 활용 **언제**: vuln triage, false-positive filter, remediation PR draft, threat-model brainstorm. **언제 X**: 매 actual scan — specialized engine 이 빠르고 정확. ## ❌ 안티패턴 - **Security as gate-only**: 매 alert flood 만 — fix automation 없음. - **Tool sprawl**: 매 5개 SAST 가 noise — ASPM 으로 dedupe. - **No baseline**: 매 legacy CVE 전체가 critical — accept + monitor. - **Bypass culture**: 매 dev 가 `// eslint-disable security/*` — guard 무력화. ## 🧪 검증 / 중복 - Verified: NIST SSDF SP 800-218; OWASP DevSecOps maturity; SLSA v1.0; Falco docs. - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — 8-stage + tool stack 2026 |