DevSecOps: Güvenliği CI/CD Pipeline'a Entegre Etme
z
zafer ak
Yazar
01 November 2025
12 dakika okuma
793 görüntülenme
Shift-left security yaklaşımı. SAST, DAST, dependency scanning ve container güvenliği.
DevSecOps Nedir?
DevSecOps, güvenliği yazılım geliştirme sürecinin her aşamasına entegre eden bir kültür ve pratikler bütünüdür. "Shift-left" yaklaşımı ile güvenlik açıkları erken tespit edilir.
DevSecOps Prensipleri
- Shift-Left Security: Güvenliği erken aşamalara taşı
- Automation: Manuel kontrolleri otomatize et
- Continuous Monitoring: Sürekli izleme ve uyarı
- Shared Responsibility: Güvenlik herkesin sorumluluğu
SAST (Static Application Security Testing)
# GitHub Actions - SAST
name: Security Scan
on: [push, pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Semgrep SAST
- name: Semgrep Scan
uses: returntocorp/semgrep-action@v1
with:
config: auto
# SonarQube
- name: SonarQube Scan
uses: sonarsource/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}Dependency Scanning
# Snyk ile bağımlılık tarama
- name: Snyk Security Check
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# npm audit
- name: NPM Audit
run: npm audit --audit-level=high
# Composer (PHP)
- name: Security Check
run: composer auditContainer Security
# Trivy ile container tarama
- name: Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: "myapp:${{ github.sha }}"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
# Dockerfile Best Practices
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM gcr.io/distroless/nodejs20
COPY --from=builder /app /app
USER nonroot
CMD ["app/server.js"]Secret Scanning
# GitLeaks
- name: Gitleaks Scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TruffleHog
- name: TruffleHog Scan
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verifiedDAST (Dynamic Application Security Testing)
# OWASP ZAP
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: "https://staging.example.com"
rules_file_name: ".zap/rules.tsv"
# Nuclei
- name: Nuclei Scan
run: |
nuclei -u https://staging.example.com \
-t nuclei-templates/ \
-severity critical,highSecurity Pipeline Örneği
name: Full Security Pipeline
jobs:
sast:
# Static analysis
dependency-check:
# Bağımlılık tarama
container-scan:
needs: [sast, dependency-check]
# Container güvenliği
deploy-staging:
needs: container-scan
dast:
needs: deploy-staging
# Dynamic testing
deploy-production:
needs: dast
if: success()Sonuç
DevSecOps, güvenliği "bolt-on" değil "built-in" yapar. CI/CD pipeline'a entegre güvenlik araçları ile sürekli koruma sağlayın.
