spinny:~/writing $ cat devsecops-shift-left-security-guide.md

DevSecOps gia programmatistes: Enas praktikos odigos gia to shift-left security

2026-04-12 · 11 min read · Filippo Spinella · Security, DevOps, CI/CD, Cloud

Mia eypatheia pou vrethike kata ti syngraphi kodika kostizei ston programmatisti lepta gia na diorothothi. I idia eypatheia pou entopistike stin paragogi kostizei ena olokliro sprint. Kai an tin vrei protos enas epititethemenos, kostizei ekatommyria. Ayto einai to vasiko epikheirima yper tou shift-left security - ti metakinisi ton elegkhon asfaleias oso to dynaton noristera ston kyklo zois tis anaptixis.

To DevSecOps pairnei ayti tin idea kai tin metatrepei se praksi: i asfaleia den einai mia xekhoristi fasi sto telos, alla mia synekhi diadikasia yphasmeni se kathe stadio tis anaptixis - apo tin proti grammi kodika eos tin egkatastasi stin paragogi.

To kostos tis kathysterimeneis asfaleias

I ekthesi Cost of a Data Breach tis IBM deikhnei systimatika oti to kostos diorothotis ton thematton asfaleias ayxanei ektheetika oso argotera entopizontai:

Stadio	Kostos diorothotis	Khronos diorothotis
IDE / Topiki anaptyksi	Lepta	Defterolepta eos lepta
Code Review / PR	Ores	Lepta eos ores
CI/CD Pipeline	Imeres	Ores eos imeres
Staging / QA	Evdomades	Imeres
Paragogi	Mines	Evdomades eos mines
Meta apo paraviasi	Ekatommyria ($)	Mines eos khronia

To symperasma einai saphe: kathe stadio pou othoumele tin asfaleia noristera exoikonomoume mia taxi megethous se kostos kai khrono.

To Pipeline DevSecOps

Ena orimo pipeline DevSecOps ensomatonei elegkhous asfaleias se kathe stadio:

As analysoume kathe stadio me sygkekrimena ergaleia kai diametrisi.

Stadio 1: Asfaleia sto IDE

O takhyteros vrokhos anaskhesis. Entopiste eypathies prin kan apothikefsete to arkheio.

Protenomena ergaleia

Semgrep: elafria statiki analysi me kanones koinotitas gia eypathies OWASP
Snyk IDE Extension: sarosi eypathion exartiseon se pragmatiko khrono
GitLens + GitLeaks: entopismos mystikon ston epexergasti sas
ESLint Security Plugins: eslint-plugin-security gia Node.js, eslint-plugin-no-unsanitized gia DOM XSS

Paradeigma: Diametrisi ESLint Security

{
  "extends": ["eslint:recommended"],
  "plugins": ["security", "no-unsanitized"],
  "rules": {
    "security/detect-object-injection": "warn",
    "security/detect-non-literal-regexp": "warn",
    "security/detect-unsafe-regex": "error",
    "security/detect-buffer-noassert": "error",
    "security/detect-eval-with-expression": "error",
    "security/detect-no-csrf-before-method-override": "error",
    "security/detect-possible-timing-attacks": "warn",
    "no-unsanitized/method": "error",
    "no-unsanitized/property": "error"
  }
}

Stadio 2: Pre-commit Hooks

I defteri grammi amynas. Ekteleitai aytomata prin apo kathe commit, empodizomtas epikindyno kodika na eiselthei sto apothetisio.

Gitleaks: Piaste ta mystika prin ftasoun sto Git

To pio sykhno lathos asfaleias stis vaseis kodika einai to commit mystikon - API kleidia, kodikoi prosavassis vaseon dedomenon, tokens. Molis ena mystiko ftasei sto istorieto tou git, einai exairetika dyskolo na afairethei pliros (akoma kai me force push, ta fork kai oi kryft mnimes mporei na to diatirissoun).

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks

  - repo: https://github.com/semgrep/semgrep
    rev: v1.90.0
    hooks:
      - id: semgrep
        args: ['--config', 'auto']

Egkatastasi kai energopoiisi:

pip install pre-commit
pre-commit install

Tora kathe git commit saronei aytomata gia diarroesvmena mystika kai syniotheis eypathies. An vrethei kati, to commit mplokaretai.

Prosarmosmenoi kanones Gitleaks

Mporete na prosthesete prosarmosmena protyma gia ta mystika tou organismou sas:

# .gitleaks.toml
title = "Custom Gitleaks Config"

[[rules]]
id = "internal-api-key"
description = "Internal API key detected"
regex = '''INTERNAL_KEY_[A-Za-z0-9]{32}'''
tags = ["key", "internal"]

Stadio 3: Asfaleia pipeline CI/CD

Edo ginetai i varia douleia. To CI pipeline sas prepe na trexei pollaplous elegkhous asfaleias se kathe pull request.

SAST (Static Application Security Testing)

Ta ergaleia SAST analyoun ton pigaio kodika khoris na ton ekteloun, psakhnontas gia protyma pou ypodeiknoyoun eypathies.

# .github/workflows/security.yml
name: Security Scan
on:
  pull_request:
    branches: [main]

jobs:
  sast:
    name: Static Analysis
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Semgrep
        uses: semgrep/semgrep-action@v1
        with:
          config: >-
            p/owasp-top-ten
            p/typescript
            p/nodejs
            p/react
          generateSarif: true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif

To p/owasp-top-ten ruleset tou Semgrep pianel tis pio sykhnes eypathies: SQL injection, XSS, SSRF, path traversal, insecure deserialization kai alla.

SCA (Software Composition Analysis)

To SCA saronei tis exartiseis sas gia gnostes eypathies. Ayto einai kritiko - pano apo to 80% tou kodika ton synchronon efarmogon provainei apo exartiseis open-source.

  dependency-scan:
    name: Dependency Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: npm audit
        run: npm audit --audit-level=high

Asfaleia containers me Trivy

An khtiizete Docker images, i sarosi tous gia eypathies einai aparaititi. To Trivy einai o pio dimophilis open-source container scanner.

  container-scan:
    name: Container Security
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t my-app:${{ github.sha }} .

      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: my-app:${{ github.sha }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'

      - name: Upload Trivy SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

Dimiourgia SBOM

To Software Bill of Materials (SBOM) einai enas plireis katalogos kathe synisrosas stin efarmogi sas. Apaiteitai olo kai perisotero apo plasia symmorphotis kai kyvernitikous kanonismous (to Ektelestiko Diatagma ton IPA gia tin Kyvernoasfaleia epivalei SBOM gia to omospondiako logismiko).

  sbom:
    name: Generate SBOM
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Generate SBOM with Syft
        uses: anchore/sbom-action@v0
        with:
          format: spdx-json
          output-file: sbom.spdx.json

      - name: Upload SBOM
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom.spdx.json

Stadio 4: Asfaleis Docker images

Ena Docker image paragogis prepei na akolouthei tin arkhi tis elakhistis pronoias. Etsi fainetai ena eniskhymeno Dockerfile:

# Build stage
FROM node:22-alpine AS builder
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:22-alpine AS runner
WORKDIR /app

# Install dumb-init before dropping root
RUN apk add --no-cache dumb-init

# Don't run as root
RUN addgroup -S app && adduser -S app -G app

# Copy only what's needed
COPY --from=builder --chown=app:app /app/dist ./dist
COPY --from=builder --chown=app:app /app/node_modules ./node_modules
COPY --from=builder --chown=app:app /app/package.json ./

# Drop to non-root user
USER app
ENTRYPOINT ["dumb-init", "--"]

# Health check
HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
  CMD wget -qO- http://localhost:3000/health || exit 1

EXPOSE 3000
CMD ["node", "dist/server.js"]

Vasikes praktikes:

Khrisimopoiiste multi-stage builds: to stadio builder ekhei exartiseis anaptixis; to stadio runner ekhei mono kodika paragogis
Min trexete os root: dimiourggiste enan mi-root khristi kai allaxte se ayton
Khrisimopoiiste images Alpine: mikrotori epiphania epithotsis (ligotera paketa egatestatoumena kata proepilogi)
Karfonoste ekdoseis images: node:22-alpine anti gia node:latest gia na apofeygete epitotheseis alytsidas efodiasmou
Khrisimopoiiste npm ci: deterministikes egkatastaseis apo to lock file, okhi npm install

Stadio 5: Diakheirisi mystikon

Ta sklirokentered mystika einai i pio synithismeni aitia paraviaseon se peristatika pou provokountai apo programmatistes.

Ti NA MI kanete

// NEVER do this
const API_KEY = "sk-1234567890abcdef";
const DB_PASSWORD = "supersecret123";

const client = new Client({
  connectionString: `postgres://admin:${DB_PASSWORD}@db.example.com/prod`
});

Ti na kanete anti gia ayto

// Use environment variables
const client = new Client({
  connectionString: process.env.DATABASE_URL
});

// Or use a secret manager
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

const client = new SecretManagerServiceClient();
const [version] = await client.accessSecretVersion({
  name: 'projects/my-project/secrets/db-password/versions/latest',
});
const dbPassword = version.payload?.data?.toString();

Ierarkhia diakheiriseis mystikon

OWASP Top 10: Mia grigori anafora

Kathe programmatistis tha prepei na gnorise to OWASP Top 10. Syntomi ekdosi:

#	Eypatheia	Ti einai	Prolipsi
1	Broken Access Control	Khristes provainoun se porous pou den tha eprepe	Arnisi kata proepilogi, epikyrosi ston server
2	Cryptographic Failures	Asthenis kryptographia, dedomena se katharo keimeno	Iskhyroi algorithmos (AES-256, bcrypt), TLS pantou
3	Injection	SQL, NoSQL, OS command injection	Parametropoiimena erotimata, epikyrosi eisodou
4	Insecure Design	Elatomatiki arkhitektoniki	Modelopoiisi apeilon, asfali skhediostika protypa
5	Security Misconfiguration	Proepologismeni pistopoiitika, anoiktoi cloud buckets	Eniskhymenes proepologes, aytomatopoiimenoi elegkhoi diametrisis
6	Vulnerable Components	Gnoista CVE stis exartiseis	Sarosi SCA, taktikes enimeroses
7	Auth Failures	Astheneis kodikoi, katestrammenoi synedries	MFA, rate limiting, asphali diakheirisi synedrias
8	Data Integrity Failures	Mi ypogegrammenes enimeroses, mi axiopisites CI/CD	Ypographi kodika, SBOM, akeraiottita pipeline
9	Logging Failures	Den yparkhei monopati elegkhou	Domiino katakraphi, eidopoiisi gia anomalies
10	SSRF	Server-side request forgery	Allowlist exerkhomenon URL, epikyrosi eisodou

Plires workflow asfaleias GitHub Actions

Ena plires, ethoimo gia paragogi workflow pou syndyazei ola ta parapano:

# .github/workflows/security.yml
name: Security Pipeline
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  secrets-scan:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  sast:
    name: Static Analysis (SAST)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: semgrep/semgrep-action@v1
        with:
          config: p/owasp-top-ten p/typescript p/nodejs

  dependency-audit:
    name: Dependency Scan (SCA)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npm ci
      - run: npm audit --audit-level=high
      - uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high
        continue-on-error: true

  container-scan:
    name: Container Scan
    runs-on: ubuntu-latest
    needs: [sast, dependency-audit]
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t app:${{ github.sha }} .
      - uses: aquasecurity/trivy-action@master
        with:
          image-ref: app:${{ github.sha }}
          severity: CRITICAL,HIGH
          exit-code: '1'

  sbom:
    name: SBOM Generation
    runs-on: ubuntu-latest
    needs: [container-scan]
    steps:
      - uses: actions/checkout@v4
      - uses: anchore/sbom-action@v0
        with:
          format: spdx-json
          output-file: sbom.spdx.json

Metrikes pros parakolouthisi

Pos gnorizete oti to programma DevSecOps sas leitourgei? Parakolouthiste aytes tis metrikes:

Mean time to remediate (MTTR): poso grigora diorothinete eypathies meta ton entopismo
Vulnerability escape rate: to pososto ton eypatheion pou ftanoun stin paragogi
False positive rate: polloi psefdeises thestikoi odigoun se koposi apo eidopoiiseis kai agnoisi proeidopoiiseon
Dependency freshness: i mesi ilikia ton exartiseon sas (paliotera = megalyteri pithanotita gnoston CVE)
SBOM coverage: pososto ergon me enimeromena SBOM

Xekinontas: Enas praktikos odigikos khartis

Min prospathisete na efarmasete ta panta tautokhrona. Mia fasiaki prosengisi leitourgei kalytera:

Symperasma

To DevSecOps den aforá tin prosthiki perissoteron ergaleion sto pipeline sas - aforá to na kanete tin asfaleia fysiko meros tou tropou pou ftiakhnete logismiko. O stokhos den einai na mplokarete kathe PR me proeidopoiiseis asfaleias, alla na dosete stous programmatistes grigori anaskhesi oste na mporoun na diorthosetoun provlimata oso o kodikas einai akomi freskos sti mnimi tous.

Xekiniste me ta vasika: pre-commit hooks gia mystika, sarosi exartiseon sto CI kai sarosi containers gia Docker images. Meta sinekiste me vasi auti pou khreiazetan i omada sas.

I asfaleia den einai ena kharaktiristiko pou paradidete mia fora. Einai mia praktiki pou khtizete se kathe commit.

Lista elegkhou DevSecOps gia xekinima:

Egkatestatoumena pre-commit hooks Gitleaks

Arkheia .env kai arkheia mystikon sto .gitignore

Semgrep SAST sto CI pipeline

Snyk i npm audit gia sarosi exartiseon

Trivy gia sarosi image containers

Mi-root khristis sta Dockerfiles

Mystika se metablites perivaollontos i secret manager

Dimiourgia SBOM se kathe ekdosi

Enimerothita gia OWASP Top 10 se oli tin omada