Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DevSecOps in CI/CD pipelines: what identity teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: DevSecOps moves security into planning, design, and CI/CD execution so teams can catch vulnerabilities, secret leakage, and certificate risks earlier, while the source article also cites Gartner’s finding that 60% of respondents consider the transition technically challenging. The governance change matters because speed without embedded controls turns delivery pipelines into exposure pipelines.

NHIMG editorial — based on content published by GlobalSign: DevSecOps, CI/CD security, and PKI automation

By the numbers:

Questions worth separating out

Q: How should teams choose DevSecOps tools for CI/CD pipelines?

A: Start with the risk class you can catch earliest and with the least friction.

Q: Why do secrets and certificates create identity risk in delivery pipelines?

A: Secrets and certificates are machine identities that determine what a workload can prove and access.

Q: What do teams get wrong about shifting security left?

A: They often treat shift-left as a detection exercise instead of a governance change.

Practitioner guidance

  • Embed security requirements into pipeline design Define security acceptance criteria for every repository and build stage, including threat modelling, dependency review, and secret scanning before merge.
  • Automate secret detection and credential lifecycle controls Scan code, configuration, and CI/CD variables for exposed credentials, then rotate or revoke affected secrets through a governed workflow.
  • Treat certificates as managed machine identities Centralise issuance, renewal, and revocation for service certificates and tie them to workload ownership, expiration policy, and environment scope.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on embedding security checks into DevOps workflows at design, build, and deployment stages
  • Practical examples of certificate automation and PKI handling inside CI/CD environments
  • A fuller explanation of how teams can build a security-first culture across development, operations, and security
  • The article's discussion of adoption barriers, including skills gaps, tool proliferation, and change management

👉 Read GlobalSign's analysis of DevSecOps, CI/CD security, and PKI automation →

DevSecOps in CI/CD pipelines: what identity teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

DevSecOps is now an identity governance issue, not just a software engineering practice. Once CI/CD pipelines issue, store, and validate machine credentials, they become part of the NHI control surface. That means IAM and PAM teams can no longer stop at human access reviews, because secrets, certificates, and service identities in delivery systems can create the same blast radius as privileged user accounts. Practitioners should govern the pipeline as an identity system, not an isolated engineering workflow.

A question worth separating out:

Q: How can organisations tell whether DevSecOps controls are actually working?

A: Look for fewer late-stage exceptions, faster remediation of found issues, and clear ownership for secrets, certificates, and pipeline permissions. If the team still depends on manual approvals or emergency fixes before deployment, security is still reactive. Effective DevSecOps produces traceable controls that keep pace with release frequency.

👉 Read our full editorial: DevSecOps shifts security left in CI/CD and PKI governance



   
ReplyQuote
Share: