In today's fast-paced software development landscape, delivering features quickly without compromising security is a growing challenge. Traditional security practices, often isolated at the end of the development cycle, are no longer sufficient. Enter DevSecOps, a transformative approach that embeds security into every phase of the software delivery pipeline. By integrating automated security testing and vulnerability scanning tools directly into continuous integration (CI) workflows, organizations can detect risks early, reduce remediation costs, and ensure robust application security without slowing down innovation.
Why is DevSecOps important
Shift-Left Security: DevSecOps promotes the shift-left principle, meaning security is addressed as early as possible in the development lifecycle. Early detection of vulnerabilities prevents costly fixes and reduces the risk of breaches post-deployment.
Faster, Secure Releases: Integrating security tools in CI/CD pipelines automates the detection of security flaws, enabling teams to deliver secure software at speed.
Cultural Change: It fosters collaboration between development, security, and operations teams, breaking down silos and promoting shared responsibility for security.
Compliance and Risk Management: Automated security checks help meet compliance requirements and reduce organizational risk by ensuring consistent security policy enforcement.
Cost Efficiency: Fixing vulnerabilities during development is much cheaper than patching them in production.
Retire.js
Retire.js is a Software Composition Analysis (SCA) tool. It plays a key role in automating security checks in your CI/CD pipeline by identifying known vulnerabilities in your third-party JavaScript libraries (not packages).
| Stages | Contribution |
|---|
| Developer | Warns developers early about vulnerable libraries. |
| Build | Blocks or flags builds if insecure JS is found. |
| Test | Works alongside unit and integration tests to ensure secure dependencies. |
| Deploy | Prevents known-vulnerable libraries from going to prod. |
| Monitor | Can be scheduled regularly to detect new CVEs over time. |
What Retire.js detects
Retire.js compares your libraries (from node_modules/, CDN links, or bundled JS) with a vulnerability database (similar to the NVD) and reports:
Known CVEs (e.g., prototype pollution in Lodash)
Outdated packages with security issues
Unsafe manually included libraries (like old jQuery or Bootstrap JS)
How it improves security
Stops vulnerable code from reaching production
Automates security scanning, reducing manual audits
Improves visibility of risky dependencies across teams
Enables shifting left: developers get feedback early in the cycle
Script in Azure pipeline(yaml)
- script: |
echo "Installing Retire.js..."
npm install -g retire
echo "Running Retire.js scan..."
# to make the pipeline fail when there is a vulnerability, delete the ||true at the end of the command below
retire --path . --outputformat json --outputpath retirejs-report.json || true
echo "Retire.js scan complete."
echo "---- Retire.js Report ----"
cat retirejs-report.json
displayName: 'Run Retire.js Vulnerability Scan'
# uncomment to publish result
# - task: PublishPipelineArtifact@1
# inputs:
# targetPath: 'retirejs-report.json'
# artifact: 'RetireJsReport'
# displayName: 'Publish Retire.js Scan Report'
Retire.js v/s OWASP Dependency Check
| Retire.js | OWASP dependecy check |
|---|
| Scope | Specializes in JavaScript and Node.js dependencies and also scans your source code files for vulnerable JavaScript libraries that might not be declared in package.json. | A comprehensive Software Composition Analysis (SCA) tool that scans for vulnerabilities in many kinds of dependencies across multiple languages and ecosystems â Java, .NET, JavaScript, Ruby, Python, and more. |
| How it works | It looks at your installed node modules and scans JavaScript files to detect usage of known vulnerable versions of JS libraries. | It analyzes dependency manifests and lock files (like package.json, pom.xml, package-lock.json) and tries to identify the components and versions you use. Then it matches them against public vulnerability databases like the NVD (National Vulnerability Database). |
| Strength | Focused purely on JavaScript/Node â can find vulnerabilities in both declared dependencies and direct JS files (like legacy or manually included scripts). | Covers many ecosystems in one tool; produces detailed reports (HTML, JSON, XML, SARIF). |
| Usage | Perfect for JavaScript/TypeScript projects that want to scan both node_modules and source code for vulnerable libs. | Best for projects with mixed or multiple languages or where you want a unified dependency vulnerability scan. |
Static Application Security Testing (SAST)
SAST tools analyze your source code (not dependencies) to identify potential security vulnerabilities like:
Script in Azure pipeline (yaml)
- script: |
echo "Running grep scans for unsafe code patterns..."
# Initialize a variable to track failure
EXIT_CODE=0
# Check for eval() usage - fail if found
if grep -rn --include=\*.ts --include=\*.js 'eval(' .; then
echo "ERROR: eval() usage found. Please remove eval() from your code."
EXIT_CODE=1
fi
# Check for alert() usage - fail if found
if grep -rn --include=\*.ts --include=\*.js 'alert(' .; then
echo "ERROR: alert() usage found. Please remove alert() calls."
EXIT_CODE=1
fi
# Check for insecure http calls - fail if found
if grep -rn --include=\*.ts --include=\*.js 'http://' .; then
echo "ERROR: insecure HTTP calls found. Use HTTPS instead."
EXIT_CODE=1
fi
# Check for console.log calls - fail if found
if grep -rn --include=\*.ts --include=\*.js 'console.log' .; then
echo "ERROR: console.log calls found. Please remove debug logs."
EXIT_CODE=1
fi
# if [ $EXIT_CODE -ne 0 ]; then
# echo "One or more unsafe patterns were found. Failing the build."
# exit 1
# else
# echo "No unsafe patterns found."
# fi
displayName: 'Run security lint scans with grep and fail build if found'
Why are eval, alert and others devsecops issues?
These are example of anti-pattern.
Anti-patterns are bad coding habits.
While it might seem useful or convenient at first, it usually leads to:
Poor performance
Security risks
Maintainability issues
Technical debt
Anti-patterns are flagged early in pipelines because:
They indicate deeper code quality issues
They increase attack surfaces
They violate secure coding best practices
Why DevSecOps Cares
Can accidentally leak sensitive information into browser logs or external monitoring tools.
Detecting and removing them is a standard secure coding best practice.
âShift leftâ security means we catch insecure or dev-only patterns as early as possible â like during a pipeline check â so they never reach production.
NOTE: Another alternative is Semgrep. It also allows for more custom rules and anti-patterns check.
GitLeaks
GitLeaks is an open-source tool that scans your code repositories for secrets you may have accidentally committed.
What Does It Scan For?
It looks for sensitive information such as:
Passwords
API keys
Tokens
Private keys
Database credentials
| Benefits | Why it matters |
|---|
| Catches secrets early | Prevents pushing sensitive info to your repository |
| Protects your credentials | Avoids data leaks, unauthorized access, or breaches |
| Automates scanning in CI/CD | Ensures every commit/PR is checkedâsecurity is not left to chance |
| Audit trail | Keeps a record of what was found and fixed |
Common terminologies in GitLeaks
Entropy
Entropy is a statistical measure of unpredictability.
In the context of GitLeaks:
Entropy score map
| Entropy Score | Interpretation |
|---|
| < 3.0 | Low and usually not a secret |
| 3.0 - 4.0 | Medium and could be a simple secret |
| > 4.0 | High and likely to be a password, token, or API key |
| > 4.5 | Very high and probably a real credential |
Redacted
Commonly logged as âSecret: REDACTEDâ.
It means that GitLeaks found a potential secret, but did not print the actual value of the secret in the output.
When is this useful?
You're scanning in CI/CD pipelines (like Azure DevOps or GitHub Actions)
You want to detect secrets but not log them
You are creating a report to review safely
If you want to see the secret, remove ââredactâ from the command.
Script in Azure Pipeline (yaml)
# GitLeaks Secret Scanning
- script: |
echo "Downloading GitLeaks..."
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz -o gitleaks.tar.gz
echo "Extracting GitLeaks..."
tar -xzf gitleaks.tar.gz
chmod +x gitleaks
echo "Running GitLeaks scan..."
# ./gitleaks detect --source . --verbose --redact --exit-code 1
./gitleaks detect --source . --redact --report-format=json --report-path=gitleaks-report.json || true
echo "Scan Results:"
cat gitleaks-report.json | jq
echo "Checking for high entropy secrets..."
HIGH_ENTROPY=$(jq '[.[] | select(.Entropy > 5)] | length' gitleaks-report.json)
if [ "$HIGH_ENTROPY" -gt 0 ]; then
echo "High entropy secrets found (Entropy > 5). Failing pipeline."
exit 1
else
echo "No high entropy secrets found."
fi
displayName: 'Run GitLeaks secret scan'
Best Practices for DevSecOps Pipelines
Shift Security Left
Integrate security checks as early as possible in the development processâstarting from code commit to build and test stagesâto detect and fix vulnerabilities before they escalate.
Automate as much as possible
Use automated tools for vulnerability scanning, secrets detection, license compliance, and static/dynamic code analysis to reduce human error and improve speed.
Use Multiple Security Tools
Combine tools like GitLeaks (for secrets detection), npm audit (for package vulnerabilities), SAST (static analysis), and DAST (dynamic analysis) to cover a broad spectrum of security risks.
Enforce Security Gates
Set thresholds for vulnerabilities or anti-patterns that fail the build or block merges, ensuring that insecure code does not proceed through the pipeline unchecked.
Regularly Update Tooling
Keep your security tools and their vulnerability databases up-to-date to catch the latest threats and avoid false positives.
Monitor and Report Security Metrics
Track key metrics such as the number and severity of vulnerabilities detected, time to remediation, and compliance scores. Use these insights to improve your pipeline continuously.
Manage False Positives Effectively
Tune your tools and scripts to reduce noise and false alarms, helping developers focus on real issues without alert fatigue.
Integrate with Developer Workflows
Provide immediate feedback in pull requests or IDEs, making it easy for developers to identify and fix issues without disrupting their workflow.
Secure Secrets Management
Use dedicated secrets management solutions and integrate secret scanning to prevent accidental leaks in source code repositories.
Foster a Security-First Culture
Train developers and ops teams on secure coding and the importance of security in the pipeline. Encourage collaboration and shared responsibility for security.
Conclusion
DevSecOps represents a crucial evolution in modern software development, blending security seamlessly with development and operations. By automating security checks and embedding them into your CI/CD pipelines, you not only reduce vulnerabilities early but also accelerate secure software delivery. The pipeline youâve built with GitLeaks, npm audit, and custom bash scripts is a powerful example of how automation can help catch issues before they reach production. However, successful DevSecOps requires more than just tools. It demands a cultural shift where security is everyoneâs responsibility, ongoing vigilance, and continuous improvement. Embracing best practices ensures your pipeline remains effective and adaptive, helping your organization stay resilient against emerging threats while maintaining the pace of innovation.