Back to glossary

Security as Code

The integration of security tools and practices into the DevOps pipeline through automation and code-based configurations.

Categorydev

Overview

Security as Code is a fundamental part of DevSecOps. It involves treating security configurations, firewall rules, and vulnerability scans as code that can be versioned, tested, and deployed alongside the application.

Key Practices

  • SAST/DAST Integration: Running security scans in the CI/CD pipeline.
  • Secret Management: Using code-based tools (like HashiCorp Vault) to manage credentials.
  • Infrastructure Hardening: Using IaC to ensure servers are configured securely by default.

Benefits

  • Shift Left: Catch security issues early in the development cycle.
  • Consistency: Ensure security best practices are applied to every deployment.
  • Scalability: Manage security for hundreds of services through automation.

Related Terms

Policy as CodeShift Left Testing