In DevSecOps, while SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) are commonly used in the CI (Continuous Integration) pipeline, the CD (Continuous Delivery/Deployment) pipeline focuses on security controls for the post-build, deployment, and production stages.

Common DevSecOps Security Tools Used in the CD Pipeline

• Infrastructure as Code (IaC) Security
  • Tools : Terraform Sentinel, Checkov, TFLint, AWS CloudFormation Guard
  • Purpose : Automatically scan and enforce policies on infrastructure templates before and during deployment.
• Container Image Security
  • Tools : Trivy, Clair, Anchore, Aqua Security, Prisma Cloud
  • Purpose : Scan Docker/Kubernetes images just before deployment to check for vulnerabilities and insecure configurations.
• Secrets Management & Protection
  • Tools : HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
  • Purpose : Prevent hard-coded secrets from being deployed; manage and inject secrets securely during deployment.
• Runtime Protection and Monitoring
  • Tools : Falco, Sysdig Secure, Aqua Cloud Native Security, Prisma Cloud
  • Purpose : Monitor running containers/applications for abnormal or malicious activity post-deployment.
• Deployment Gate/Policy Enforcement
  • Tools : OPA (Open Policy Agent), Kyverno, Gatekeeper
  • Purpose : Block or allow production deployments based on defined security policies and compliance checks.
• Compliance & Configuration Scanning
  • Tools : Chef InSpec, OpenSCAP, CIS-CAT
  • Purpose : Validate that deployment targets (servers, containers, cloud resources) conform to security benchmarks during delivery.
• Orchestrated Security Testing During Deployment
  • Tools : Argo CD (with security plugins), Spinnaker, Jenkins X (with policy and vulnerability gates)
  • Purpose : Automate security tests and ensure only secure builds reach production.

Example Flow

1. CI Pipeline : SAST, DAST, SCA tools check code security.
2. CD Pipeline:-
   • IaC scanner runs before applying infra changes.
   • Container/image scanner runs before pushing to registry.
   • Policy enforcement and secrets managed just before and during deployment.
   • Runtime tools monitor apps post-deployment for threats.