πŸš€ DevSecOps Pipeline β€” Deep Dive: SAST, DAST, SCA, SBOM, dan Secret Scanning

Panduan implementasi keamanan di pipeline CI/CD β€” dari Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), Software Bill of Materials (SBOM), hingga secret scanning. Mencakup toolchain konkret (Semgrep, CodeQL, ZAP, Trivy, Syft, Grype, Gitleaks), integrasi di GitHub Actions/GitLab CI, pipeline gates berdasarkan severity, serta strategi shift-left vs shift-right dalam konteks DevSecOps modern.

Hubungan ke Vault

Nota ini terkait dengan cicd-shiftleft-shiftright untuk framework strategi keamanan di SDLC, cicd-guide sebagai panduan implementasi pipeline dasar, container-kubernetes-security-deepdive untuk container image scanning di pipeline (Trivy, cosign), cloud-security-posture-management untuk IaC scanning (Checkov, tfsec), software-supply-chain-security-deepdive untuk rantai pasok perangkat lunak, dan api-security-deep-dive untuk DAST fokus API.


Daftar Isi


Foundation

Apa Itu DevSecOps?

DevSecOps adalah filosofi yang mengintegrasikan praktik keamanan ke dalam setiap fase DevOps β€” bukan sebagai gate di akhir siklus, tetapi sebagai bagian dari pipeline otomatis sejak commit pertama.

Perbandingan pendekatan:

PendekatanKapan Testing DilakukanBiaya PerbaikanDampak Tim
Traditional (Waterfall + Security Audit)Setelah development selesai, sebelum rilisπŸ’°πŸ’°πŸ’°πŸ’°πŸ’° (paling mahal)Security team = bottleneck
DevOps + Security GateSetelah build, sebelum deployπŸ’°πŸ’°πŸ’°Security = blocker, banyak false positive
DevSecOps (Shift-Left)Pada setiap commit (IDE β†’ PR β†’ Build)πŸ’°Developer bertanggung jawab, security sebagai enabler
DevSecOps + Shift-RightPada setiap commit + di productionπŸ’° (paling murah)Monitoring kontinu memvalidasi asumsi

Jenis Testing Keamanan Otomatis

KategoriFokusKapan DijalankanContoh
SAST (Static Analysis)Source code scanning β€” menemukan vulnerability di kode tanpa menjalankannyaPre-commit hook, PR, buildSemgrep, CodeQL, SonarQube
DAST (Dynamic Analysis)Runtime scanning β€” menemukan vulnerability di aplikasi yang berjalanStaging, production (careful)OWASP ZAP, Burp Suite Enterprise, Acunetix
SCA (Software Composition Analysis)Dependency scanning β€” library/package vulnerability + license compliancePR, build, scheduledTrivy, Grype, Snyk, Dependabot
IAST (Interactive Analysis)Hybrid SAST+DAST β€” agent di runtime memonitor code executionStaging testContrast Security, Hdiv, Checkmarx IAST
Secret ScanningMencari credentials, API keys, tokens hardcodedPre-commit, PR, buildGitleaks, GitGuardian, TruffleHog
Container ScanningImage vulnerability, misconfiguration, malwareBuild, registry pushTrivy, Clair, Anchore
IaC ScanningInfrastruktur code (Terraform, CloudFormation) misconfigurationPR, buildCheckov, tfsec, KICS

SAST vs DAST β€” Kapan Memilih?

KriteriaSASTDAST
False Positive RateTinggi (banyak false positive karena tidak punya context runtime)Rendah (menyerang aplikasi nyata)
False Negative RateRendah (bisa menemukan vulnerability yang sulit ditemukan DAST)Tinggi (hanya bisa menemukan apa yang bisa β€˜dilihat’ dari luar)
CakupanSource code (SQL injection, XSS, buffer overflow, hardcoded secrets)Running app (authentication, session management, CSRF, configuration)
KecepatanCepat (millions LOC dalam menit)Lambat (tergantung cakupan crawl + attack)
Kebutuhan envTidak perlu env runningPerlu staging/prod environment
Integrasi PRMudah (di CI pipeline)Sulit (harus deploy dulu)

Rekomendasi: SAST di pre-commit + PR gate, DAST di staging environment setelah deploy.

Software Bill of Materials (SBOM)

SBOM adalah manifest terstruktur yang mendaftarkan setiap komponen/package/artifact yang digunakan dalam perangkat lunak. Format standar:

FormatStandarStruktur
SPDX (Software Package Data Exchange)ISO/IEC 5962:2021Berbasis tag-value atau JSON-LD
CycloneDXOWASP standardXML atau JSON, lebih ringan
SWID (ISO 19770-2)ISOTagging standar untuk software identification

Mengapa SBOM penting:

  • Log4j (Dec 2021) β€” ribuan tim tidak bisa mengidentifikasi apakah mereka menggunakan log4j yang rentan karena tidak punya SBOM.
  • Regulasi β€” US Executive Order 14028 mewajibkan SBOM untuk software pemerintah; EU CRA (Cyber Resilience Act) mensyaratkan SBOM untuk produk digital.
  • Supply-chain transparency β€” Anda tidak bisa melindungi apa yang tidak Anda ketahui.

Perintah untuk menghasilkan SBOM dengan Syft:

# Untuk container image
syft nginx:latest -o spdx-json > nginx-sbom.spdx.json
 
# Untuk file system
syft /app -o cyclonedx-json > app-sbom.cyclonedx.json

Technical Deep-Dive

Toolchain Lengkap dan Konfigurasi

1. SAST β€” Semgrep

Semgrep adalah SAST engine open-source dengan dukungan 30+ bahasa dan ribuan rule community.

# Install
pip install semgrep
 
# Scan
semgrep --config auto --metrics=off .

Konfigurasi GitHub Actions:

name: DevSecOps SAST
on:
  pull_request:
    branches: [main, develop]
jobs:
  semgrep-sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Semgrep SAST Scan
        uses: semgrep/semgrep-action@v1
        with:
          config: p/owasp-top-ten # OWASP Top 10 ruleset
          # config: r/python.lang.security  # Python specific
          # config: r/javascript.browser.security  # JS specific
      - name: Check for Critical Findings
        if: failure()
        run: |
          echo "::error::SAST menemukan critical vulnerability. Fix sebelum merge."
          exit 1

Custom rule β€” Deteksi SQL Injection di Python (raw query):

rules:
  - id: python-sqli-raw
    patterns:
      - pattern: |
          cursor.execute("..." + $QUERY + "...")
      - pattern-not: |
          cursor.execute("SELECT * FROM t WHERE col = ?", [...])
    message: "Raw SQL query concatenation detected β€” possible SQL injection"
    languages: [python]
    severity: ERROR

2. SAST β€” CodeQL (GitHub-native)

CodeQL menggunakan query-based analysis:

name: CodeQL
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
jobs:
  analyze:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: ["python", "javascript", "go"]
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
      - uses: github/codeql-action/analyze@v3

CodeQL Query β€” Find Hardcoded Passwords:

import python
 
from Module m, Call c
where m.getName() = "hashlib"
and c.getFunc() = m.attr("pbkdf2_hmac")
and exists(|
  c.getArg(2).(StrConst).getValue() = "password" or
  c.getArg(2).(StrConst).getValue().regexpMatch("(?i).*password.*")
|)
select c, "Potential hardcoded password in pbkdf2 call"

3. DAST β€” OWASP ZAP

ZAP adalah leading open-source DAST tool:

name: DevSecOps DAST
on:
  deployment_status:
jobs:
  zap-scan:
    if: github.event.deployment_status.state == 'success'
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.12.0
        with:
          target: ${{ github.event.deployment_status.environment_url }}
          rules_file_name: ".zap/rules.tsv"
          cmd_options: "-I" # Active scan
      - name: Upload ZAP Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: report_html/

ZAP rule exclusion (untuk mengurangi false positive):

# .zap/rules.tsv
10003	IGNORE	# Passive: Weak Authentication Method (false positive di apps tanpa auth endpoint sendiri)
10021	IGNORE	# Passive: X-Content-Type-Options (app sudah handle di reverse proxy)
10106	IGNORE	# Passive: HttpOnly Session Cookie (library default setting)

4. SCA + Container Scanning β€” Trivy

Trivy (Aqua Security) adalah all-in-one vulnerability scanner:

# Scan filesystem
trivy filesystem /app --severity CRITICAL,HIGH --exit-code 1
 
# Scan container image
trivy image nginx:latest --severity CRITICAL --exit-code 1
 
# Scan IaC
trivy config --severity CRITICAL --exit-code 1 ./terraform/
 
# Generate SBOM
trivy image --format cyclonedx --output result.cdx.json nginx:latest

GitHub Actions:

- name: Trivy Filesystem Scan
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: "fs"
    scan-ref: "."
    format: "sarif"
    output: "trivy-results.sarif"
    severity: "CRITICAL,HIGH"
- name: Upload Trivy to GitHub Security
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: "trivy-results.sarif"

5. SBOM Generation β€” Syft + Grype

- name: Generate SBOM
  uses: anchore/sbom-action@v0
  with:
    image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
    format: spdx-json
    output-file: sbom.spdx.json
 
- name: Upload SBOM
  uses: actions/upload-artifact@v4
  with:
    name: sbom
    path: sbom.spdx.json

6. Secret Scanning β€” Gitleaks

name: Secret Scanning
on: [pull_request]
jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Custom Gitleaks rules:

# .gitleaks.toml
[[rules]]
id = "custom-aws-key"
description = "AWS Access Key ID"
regex = '''(?i)(?:ak|sk|AWS)[\s:=]+(?:A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}'''
tags = ["aws", "credentials"]
 
[[rules]]
id = "custom-jwt"
description = "JWT Token (common pattern)"
regex = '''eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*'''
tags = ["jwt", "token"]

Pipeline Gate Strategy β€” Severity-Based

PR Created
  β”œβ”€β”€ Pre-commit hooks (client-side)
  β”‚   β”œβ”€β”€ gitleaks (secret scanning β€” langsung reject commit)
  β”‚   └── pre-commit hooks (linting + basic SAST)
  β”‚
  β”œβ”€β”€ CI Pipeline: Build Phase
  β”‚   β”œβ”€β”€ SAST (Semgrep/CodeQL)
  β”‚   β”œβ”€β”€ SCA (Trivy/Grype)
  β”‚   β”œβ”€β”€ Secret Scanning (Gitleaks/TruffleHog)
  β”‚   └── IaC Scanning (Checkov)
  β”‚
  β”œβ”€β”€ GATE: Fail on CRITICAL/HIGH β†’ block merge
  β”‚
  β”œβ”€β”€ CI Pipeline: Deploy to Staging
  β”‚   └── DAST (ZAP/Burp)
  β”‚       └── GATE: Fail on CRITICAL β†’ block deploy to prod
  β”‚
  β”œβ”€β”€ CI Pipeline: Image Signing
  β”‚   β”œβ”€β”€ SBOM generation (Syft)
  β”‚   β”œβ”€β”€ Cosign signing
  β”‚   └── Push to registry
  β”‚
  β”œβ”€β”€ Deploy to Production
  β”‚   └── Shift-right monitoring (runtime)
  β”‚       β”œβ”€β”€ WAF detection
  β”‚       β”œβ”€β”€ RASP agent
  β”‚       └── SIEM anomaly
  β”‚
  └── Scheduled Scans
      β”œβ”€β”€ Weekly: Full SAST + SCA (all severities)
      β”œβ”€β”€ Monthly: DAST full scan
      └── On-demand: Penetration testing

False Positive Management

SAST/DAST tools menghasilkan false positive (FP) β€” tanpa manajemen FP, developer akan mengabaikan semua alert.

StrategiDeskripsiImplementasi
BaselineBandingkan hasil scan dengan baseline yang sudah diverifikasiSemgrep: semgrep --config auto --baseline main
Suppression commentsDeveloper bisa mark FP di source code# nosemgrep / // semgrep-ignore
Path exclusionExclude direktori test, vendor, generated code.semgrepignore / .trivyignore
Severity downgradeTurunkan severity untuk rule dengan FP tinggiZAP rules file: 10003 WARN
Aging policyFP yang tidak muncul di N cycle otomatis di-archiveSIEM + Jira integration
Daily triageSecurity engineer review FP report harianDashboard Grafana + CSV export

Advanced

Supply Chain Level for Software Artifacts (SLSA)

SLSA (Supply-chain Levels for Software Artifacts) adalah framework keamanan rantai pasok yang menentukan tingkat kepercayaan artifact berdasarkan 4 level:

LevelDeskripsiPersyaratan Minimum
SLSA 1Build process documentedProvenance (metadata who built what from what source)
SLSA 2Build process tamper-resistantSigned provenance + host build service
SLSA 3Hardened build processNo user-controlled build steps, isolation, provenance includes dependencies
SLSA 4Two-person review + hermetic buildAll dependencies declared, fully reproducible build, provenance by design

Cara mencapai SLSA 3+ untuk container image:

# GitHub Actions β€” SLSA 3 provenance generation
- name: Generate SLSA Provenance
  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
  with:
    image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
    digest: ${{ steps.build-and-push.outputs.digest }}

Cryptographic Signing β€” Cosign

Cosign (Sigstore) memungkinkan signing container image tanpa perlu private key management (keyless signing via OIDC):

# Sign image (keyless β€” menggunakan GitHub OIDC token)
cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
 
# Verify
cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

Policy Controller (Connaisseur/Kyverno) β€” verifikasi signature sebelum mengizinkan pod running:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-signature
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-signature
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - "harbor.corp.internal/*"
          attestors:
            - entries:
                - keyless:
                    subject: "https://github.com/corp-org/*/.github/workflows/*.yml@refs/heads/main"
                    issuer: "https://token.actions.githubusercontent.com"

IaC Scanning β€” Checkov (Policy as Code)

Checkov untuk menemukan misconfiguration di Terraform:

- name: Checkov IaC Scan
  uses: bridgecrewio/checkov-action@v12
  with:
    directory: terraform/
    framework: terraform
    output_format: cli
    soft_fail: false # block on any fail
    quiet: true
    skip_check: CKV_AWS_53 # skip known false positive

Full Pipeline Example β€” GitHub Actions (Monorepo)

name: Full DevSecOps Pipeline
on:
  pull_request:
    branches: [main]
jobs:
  pre-commit-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pre-commit/action@v3.0.1
        with:
          extra_args: --all-files --show-diff-on-failure
 
  security-scan:
    needs: pre-commit-checks
    runs-on: ubuntu-latest
    strategy:
      matrix:
        scan: [sast, sca, secrets, iac]
    steps:
      - uses: actions/checkout@v4
 
      - name: SAST β€” Semgrep
        if: matrix.scan == 'sast'
        uses: semgrep/semgrep-action@v1
        with:
          config: p/owasp-top-ten
          severity: ERROR
 
      - name: SCA β€” Trivy
        if: matrix.scan == 'sca'
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          format: "sarif"
          severity: "CRITICAL,HIGH"
          exit-code: "1"
 
      - name: Secrets β€” Gitleaks
        if: matrix.scan == 'secrets'
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
      - name: IaC β€” Checkov
        if: matrix.scan == 'iac'
        uses: bridgecrewio/checkov-action@v12
        with:
          directory: terraform/
          soft_fail: false
 
  build-and-scan:
    needs: security-scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build container
        run: docker build -t app:${{ github.sha }} .
      - name: Container scan β€” Trivy
        run: trivy image --severity CRITICAL,HIGH --exit-code 1 app:${{ github.sha }}
      - name: SBOM β€” Syft
        run: syft app:${{ github.sha }} -o spdx-json --file sbom.spdx.json
      - name: Sign β€” Cosign
        run: cosign sign --keyless app:${{ github.sha }}
 
  deploy-staging:
    needs: build-and-scan
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - name: Deploy to Staging
        run: |
          kubectl set image deployment/app app=app:${{ github.sha }} -n staging
 
  dast-staging:
    needs: deploy-staging
    runs-on: ubuntu-latest
    steps:
      - name: ZAP DAST Scan
        uses: zaproxy/action-full-scan@v0.12.0
        with:
          target: https://staging.app.corp
          rules_file_name: ".zap/rules.tsv"
          allow_issue_writing: false
          fail_action: true

Tool Benchmark (Performa dan Akurasi)

ToolSpeed (1000 LOC)FP RateCoverage BahasaHarga
Semgrep~2 detikMedium30+Open source (community), Paid (team)
CodeQL~5 detikLow (query-based)12 (C/C++, C#, Java, JS, Python, Go, Ruby, Swift, Kotlin, Rust, TS)Free for public repos
SonarQube~10 detikMedium-High30+Community Edition gratis
TrivyN/A (image: ~5 detik)LowOS packages + language packagesOpen source
GrypeN/ALowSimilar to TrivyOpen source
ZAPDepends on app sizeMedium (baseline lowers it)Web/APIOpen source
Gitleaks~1 detikLow (with custom rules)Git history + filesystemOpen source
Checkov~3 detikMediumTerraform, CloudFormation, K8s, ARMOpen source

Hardening Checklist β€” DevSecOps Pipeline

☐ Pre-commit hook: gitleaks + basic linting
☐ PR gate: SAST (Semgrep/CodeQL) β€” fail on any CRITICAL/HIGH
☐ PR gate: SCA (Trivy/Grype) β€” fail on any CRITICAL
☐ PR gate: IaC scanning (Checkov) β€” fail on any misconfiguration
☐ PR gate: Secret scanning (Gitleaks/TruffleHog)
☐ Build: Trivy container scan β€” fail on CRITICAL
☐ Build: SBOM generation (Syft) β€” upload to artifact store
☐ Build: Image signing (Cosign) β€” keyless via OIDC
☐ Deploy to staging: DAST scan (ZAP/Burp) β€” fail on CRITICAL
☐ Deploy to staging: post-deployment validation test (non-functional)
☐ Deploy to prod: require SLSA 3 provenance
☐ Scheduled: weekly full SAST + SCA scan
☐ Scheduled: monthly full DAST scan
☐ Scheduled: SBOM diff analysis (new vuln detection)
☐ Incident: rapid patching pipeline (auto-trigger for disclosed CVEs)

Case Studies

Studi KasusKonteksTemuan KunciMitigasi Diimplementasi
Log4j CVE-2021-44228 (Dec 2021)Ribuan organisasi tidak tahu menggunakan log4j yang rentan1. Tidak ada SCA β€” tim tidak punya visibility dependency mana yang mengandung log4j. 2. SBOM belum ada β€” manual triage butuh waktu berminggu-minggu. 3. Pipeline tidak bisa β€œblock” build otomatis untuk versi log4j.1. Deploy SCA (Trivy) dengan block rule untuk semua CVE-critical. 2. Generate SBOM untuk semua service. 3. Automated pipeline untuk emergency patch (auto-bump dependency + build + deploy dalam <1 jam).
Codecov Breach (2021)Pipeline CI/CD tool compromise β†’ supply-chain attack1. Codecov Bash Uploader terkena credential theft. 2. Attacker modify uploader β†’ exfiltrate CI environment variables. 3. Ribuan organization exposed: cloud credentials, API keys, tokens.1. Gunakan OIDC-based auth (no static keys). 2. Rotate CI secrets. 3. Audit CI runner artifacts. 4. Minimum IAM untuk CI jobs.
Dependency Confusion (2021)Internal package name sama dengan public β€” npm/yarn prioritaskan public1. Internal package corp-auth β†’ attacker publish corp-auth ke npm dengan version lebih tinggi. 2. Pipeline auto-download dependency dari npm β€” malicious code executed. 3. POC: 35+ perusahaan besar terkena.1. Scoped registry: @corp/ prefix. 2. Resolver strict β€” hanya dari private registry. 3. Integrity check (package lock + hash verification). 4. SCA yang mendeteksi dependency confusion.
SolarWinds Orion (2020)Build pipeline compromise β€” malware di signed artifact SLSA 01. Attacker compromise build server β†’ inject Sunburst backdoor ke Orion source code. 2. Code review tidak mendeteksi karena injeksi stealth dan legitimate signing. 3. 18,000+ customers menerima backdoor via update.1. SLSA 4 β€” hermetic build, two-person review. 2. Reproducible build β€” deteksi drift binary. 3. Immutable build environment. 4. Code signing + attestation. 5. ADR: diversifikasi supply chain.
Simulated CI Pipeline Attack (2024)Penetration test β€” SAST + DAST + SCA integration1. SAST menemukan SQL injection di endpoint /search (query concatenation). 2. SCA menemukan 2 HIGH vuln di library requests (old version). 3. Secret scanning menemukan 3 AWS Access Keys di file .env.example (committed 2 tahun lalu).1. Pipeline block + developer notified via GitHub Security Alerts. 2. Rotate exposed keys in <30 menit. 3. Auto-approve PR untuk fix SAST/SEC findings. 4. Git history rewrite untuk remove secrets (force push with caution).

Koneksi ke Vault


Referensi

  1. OWASP. Application Security Verification Standard (ASVS) 4.0. https://owasp.org/www-project-application-security-verification-standard/
  2. OWASP. Software Component Verification Standard (SCVS). https://owasp.org/www-project-software-component-verification-standard/
  3. Semgrep. Semgrep Documentation. https://semgrep.dev/docs/
  4. GitHub. CodeQL Documentation. https://docs.github.com/en/code-security/codeql-cli/
  5. OWASP ZAP. ZAP Getting Started. https://www.zaproxy.org/getting-started/
  6. Aqua Security. Trivy Documentation. https://trivy.dev/latest/
  7. Anchore. Syft & Grype Documentation. https://github.com/anchore/syft
  8. Gitleaks. Gitleaks Documentation. https://gitleaks.io/
  9. Bridgecrew/Prisma Cloud. Checkov Documentation. https://www.checkov.io/
  10. Sigstore. Cosign Documentation. https://docs.sigstore.dev/cosign/overview/
  11. OpenSSF. SLSA Framework. https://slsa.dev/
  12. OWASP. CycloneDX SBOM Standard. https://cyclonedx.org/
  13. SPDX. SPDX Specification. https://spdx.dev/
  14. US Executive Order 14028. Improving the Nation’s Cybersecurity. 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
  15. CISA. Software Bill of Materials. https://www.cisa.gov/sbom
  16. OpenSSF. Scorecard. https://securityscorecards.dev/
  17. Sonatype. 2024 State of the Software Supply Chain. https://www.sonatype.com/state-of-the-software-supply-chain
  18. Snyk. 2024 Open Source Security Report. https://snyk.io/reports/
  19. GitGuardian. 2024 State of Secrets Sprawl. https://www.gitguardian.com/report
  20. Contrast Security. IAST vs SAST vs DAST. https://www.contrastsecurity.com/knowledge-hub/what-is-iast

Bottom Line

DevSecOps bukan tentang tool β€” ini tentang shift-left mindset yang diotomatisasi. Tool tanpa proses hanya menghasilkan noise; proses tanpa tool hanya menghasilkan bottleneck. Kunci sukses: (1) Pipeline gate berbasis severity β€” hanya CRITICAL/HIGH yang block, sisanya informasional. (2) False positive management β€” baseline + suppression agar developer tidak lelah. (3) SBOM + Signing sebagai syarat deploy ke production. (4) Emergency pipeline untuk zero-day seperti Log4j β€” auto-bump + rebuild + deploy dalam <1 jam. Mulai dari pre-commit gitleaks dan SCA β€” dua langkah dengan ROI tertinggi di DevSecOps.