--- id: wiki-2026-0508-ai-코드-리뷰-및-보안-취약점-점검-devsecops title: AI Code Review + DevSecOps category: 10_Wiki/Topics status: verified canonical_id: self aliases: [DevSecOps with AI, AI security review, hybrid code review, shift-left security] duplicate_of: none source_trust_level: B confidence_score: 0.85 verification_status: conceptual tags: [devsecops, ai-code-review, sast, security, shift-left, owasp, ci-cd] raw_sources: [] last_reinforced: 2026-05-09 github_commit: pending inferred_by: Claude Opus 4.7 (manual cleanup 2026-05-09) --- # AI Code Review + DevSecOps ## 📌 한 줄 통찰 > **Shift-left security**. 매 SDLC 의 early 의 SAST + AI review + human. 매 mechanical 의 AI, 매 architectural 의 human. ## 📖 핵심 ### Hybrid model - **AI**: pattern matching, syntax, known CVE. - **Human**: business logic, architecture, novel attack. - **Together**: 매 layer 의 different defect class. ### Shift-left phases #### IDE (real-time) - 매 keystroke 의 lint / type. - Cursor / Copilot 의 inline. #### Pre-commit (local) - Husky + lint-staged. - 매 dev 의 first defense. #### PR (automated) - CodeRabbit / Greptile. - Snyk / Sonar SAST. - 매 dependency check. #### CI deep - Container scan. - Dependency vulnerability. - License check. #### Pre-deploy - Integration security test. - DAST (runtime). #### Production - WAF. - RASP (runtime application self-protection). - 매 alert / incident. ### 매 OWASP Top 10 (2021) 1. Broken Access Control. 2. Cryptographic Failures. 3. Injection (SQL, XSS, Command). 4. Insecure Design. 5. Security Misconfiguration. 6. Vulnerable Components. 7. Authentication Failures. 8. Software / Data Integrity. 9. Logging / Monitoring Failures. 10. SSRF. → 매 SAST 의 mostly cover. 매 #4 (insecure design) = human. ### Tool stack (2026) #### IDE - Cursor (AI-native). - Snyk Code IDE plugin. - GitHub Copilot Chat. #### CI / PR - CodeRabbit (LLM review). - Snyk Code (SAST). - Sonar (quality + security). - Semgrep (custom pattern). - GitHub Advanced Security (CodeQL). #### Container - Trivy (image scan). - Snyk Container. - Docker Scout. #### Dependency - Dependabot. - Renovate. - Snyk Open Source. #### Secret - TruffleHog. - GitGuardian. - 매 pre-commit hook. #### DAST - OWASP ZAP. - Burp Suite. ### 매 quality gate #### PR gate - 매 high severity 의 fail. - 매 critical CVE 의 block. - 매 secret 의 detection 의 block. #### Pre-deploy gate - 매 manual approve (high-risk). - 매 automated test 의 pass. ### Compliance #### SOC 2 - 매 audit log. - 매 access control. - 매 incident response. #### PCI DSS (payment) - 매 encryption. - 매 segmentation. #### GDPR (privacy) - 매 data minimization. - 매 consent. #### HIPAA (health) - 매 PHI handling. ### Vibe coding 의 specific risk - 매 AI-generated code 의 security blind spot. - 매 prompt injection 의 reproduce. - 매 hardcoded secret (LLM 의 example). - 매 outdated security practice. ## 💻 Code ### CI workflow ```yaml # .github/workflows/devsecops.yml on: [pull_request, push] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } # Secret scan - uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.repository.default_branch }} # SAST - uses: snyk/actions/setup@master - run: snyk code test --severity-threshold=high # Dependency - run: snyk test --severity-threshold=high # Container - run: docker build -t app . - uses: aquasecurity/trivy-action@master with: image-ref: 'app' severity: 'CRITICAL,HIGH' exit-code: '1' # SARIF upload (GitHub Security tab) - uses: github/codeql-action/upload-sarif@v3 ``` ### Custom Semgrep rule (prompt injection) ```yaml # .semgrep/prompt-injection.yaml rules: - id: llm-prompt-concat pattern-either: - pattern: | $LLM.complete($PROMPT + $USER_INPUT) - pattern: | $LLM.complete(`...${$USER_INPUT}...`) message: | Prompt injection: user input concatenated. Use template / sanitize. severity: ERROR languages: [python, javascript, typescript] ``` ### Pre-commit hook (secret + lint) ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: - id: detect-secrets - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: - id: trailing-whitespace - id: check-yaml - repo: local hooks: - id: lint name: lint entry: npm run lint language: system ``` ### SARIF (security findings format) ```json { "version": "2.1.0", "runs": [{ "tool": { "driver": { "name": "MyScanner" } }, "results": [{ "ruleId": "sql-injection", "level": "error", "message": { "text": "SQL injection in users.ts:42" }, "locations": [{ "physicalLocation": { "artifactLocation": { "uri": "src/users.ts" }, "region": { "startLine": 42 } } }] }] }] } ``` ### Renovate (dep update + security) ```json // renovate.json { "extends": ["config:recommended", ":automergePatch"], "vulnerabilityAlerts": { "labels": ["security"], "automerge": true } } ``` ## 🤔 결정 기준 | Risk | Tool layer | |---|---| | Low (lint, style) | IDE / pre-commit | | Medium (SAST) | PR gate (Snyk / Sonar) | | High (CVE, secret) | PR block + alert | | Critical (zero-day) | Manual + emergency patch | | AI-generated code | Enhanced review | **기본값**: IDE + PR + pre-deploy 의 layered. 매 gate 의 different threshold. ## 🔗 Graph - 부모: [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] · [[AI_코드_리뷰]] · [[Security]] - 변형: [[SAST]] · [[보안 및 시스템 신뢰성 표준|DAST]] · [[Shift-Left-Security]] - 응용: [[CodeRabbit]] · [[Sonar]] · [[Semgrep]] - 매 OWASP: [[OWASP Top 10]] - Adjacent: [[Dependency-Update]] · [[Secret-Detection]] ## 🤖 LLM 활용 **언제**: 매 production system 의 security strategy. 매 vibe coding 의 review. **언제 X**: 매 throwaway script. Specific compliance audit (auditor). ## ❌ 안티패턴 - **AI 만 의존**: 매 architecture flaw miss. - **Manual 만**: 매 mechanical pattern miss. - **No quality gate**: 매 vulnerability 의 ship. - **Generic alert (no severity)**: alert fatigue. - **No secret scan + AI 의 hardcode**: leak. ## 🧪 검증 / 중복 - Verified. - 신뢰도 B. - Related: [[AI_코드_리뷰]] · [[AI-Code-Assurance]] · [[OWASP-API-Top-10]]. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-09 | Manual cleanup — shift-left + tool stack + code + 결정 |