Executive Summary

DevSecOps is not just a philosophy — it’s commands, configurations, and automation embedded into CI/CD pipelines. This hands-on CyberDudeBivash training guide walks from basic setup to advanced configurations, covering GitLab, Jenkins, GitHub Actions, Kubernetes, Docker, HashiCorp Vault, Snyk, Aqua Security, and Trivy with real command examples.

This training empowers security engineers, DevOps professionals, and developers to implement security-as-code with confidence.

1. Environment Setup

Install Essential CLI Tools

# Install Docker
sudo apt-get install docker.io -y

# Install kubectl
curl -LO "https://dl.k8s.io/release/$(curl -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl && sudo mv kubectl /usr/local/bin/

# Install Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# Install Trivy for container scanning
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update && sudo apt-get install trivy

2. GitLab/GitHub CI/CD Security Integration

Example: SAST + Snyk in GitLab CI/CD

.gitlab-ci.yml

stages:
  - build
  - test
  - security

sast:
  stage: security
  image: docker:latest
  script:
    - snyk test
  allow_failure: false

Example: Secrets Scanning with GitHub Actions

.github/workflows/secrets-scan.yml

name: Secrets Scan
on: [push]
jobs:
  secret_scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: GitGuardian/ggshield-action@master
        with:
          api_key: ${{ secrets.GITGUARDIAN_API_KEY }}

3. Container & Kubernetes Security

Trivy Container Scan

trivy image myapp:latest

Aqua Security Runtime Agent (K8s YAML)

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: aqua-agent
  namespace: aqua
spec:
  template:
    spec:
      containers:
        - name: aqua-agent
          image: registry.aquasec.com/agent:latest

Kubernetes Pod Security Policies (PSP)

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  runAsUser:
    rule: 'MustRunAsNonRoot'

4. Secrets Management with Vault

Store & Retrieve Secrets

# Login
vault login <TOKEN>

# Store secret
vault kv put secret/db password="CyberDudeBivashPass123"

# Retrieve secret
vault kv get secret/db

Vault Agent Injector in Kubernetes

apiVersion: v1
kind: Pod
metadata:
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/role: "app-role"
    vault.hashicorp.com/agent-inject-secret-db: "secret/db"

5. Threat Modeling & Policy as Code

Open Policy Agent (OPA) Example

policy.rego

package kubernetes.admission

deny[msg] {
  input.kind == "Pod"
  input.spec.containers[_].securityContext.privileged == true
  msg := "Privileged containers are not allowed"
}

Run:

opa eval --input pod.json --data policy.rego "data.kubernetes.admission.deny"

6. Vulnerability Management

Snyk CLI

# Scan project
snyk test

# Monitor for new vulns
snyk monitor

Qualys API Example

curl -u "username:password" -X GET "https://qualysapi.qualys.com/api/2.0/fo/asset/host/?action=list"

CyberDudeBivash Final Verdict

DevSecOps is commands + configs + automation. By embedding tools like Snyk, Vault, Aqua, Trivy, GitHub/GitLab CI/CD, and OPA, professionals achieve continuous, automated, and compliant security pipelines.

CyberDudeBivash Rule:
Automate security, or attackers will automate your breach.

#CyberDudeBivash #DevSecOps #CI_CD #Automation #GitLab #GitHubActions #Snyk #HashiCorpVault #KubernetesSecurity #Trivy #AquaSecurity #OPA