Security has historically been bolted onto software after the fact, a costly habit that modern engineering teams can no longer afford. DevSecOps changes that by embedding security controls directly into the CI/CD pipeline, shifting vulnerability detection left and keeping it there throughout the software lifecycle. But "shift left" is only meaningful when you have the right tools in the right places.
This guide walks through the complete DevSecOps tool stack for 2026: what each layer does, which tools are best suited for production environments, and how to wire them together with real commands and configuration examples. If your team is building or refining a secure development program, the practitioners at Redfox Cybersecurity can help you tailor this stack to your specific threat model and compliance requirements.
Supply chain attacks, AI-generated code introducing subtle logic flaws, and the proliferation of container workloads have all raised the stakes for development security. According to industry reporting, the average time to exploit a known vulnerability after public disclosure has dropped below five days in many categories. That window is shorter than most quarterly patching cycles.
A mature DevSecOps stack does not rely on a single scanner or a periodic penetration test. It creates overlapping, automated security checkpoints across every stage: code commit, build, artifact creation, deployment, and runtime.
Before code ever touches a remote repository, pre-commit hooks can block the most common developer mistakes: hardcoded credentials, private keys, and high-entropy strings that indicate secrets.
Gitleaks is the standard for this layer. It scans staged changes and full repository history.
# Install Gitleaks
brew install gitleaks
# Scan the current repo for secrets in full history
gitleaks detect --source . --report-format json --report-path gitleaks-report.json
# Run as a pre-commit hook (add to .pre-commit-config.yaml)
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.2
hooks:
- id: gitleaks
[cta]
detect-secrets from Yelp offers a complementary baseline approach, storing a snapshot of known false positives so developers do not chase noise.
pip install detect-secrets
# Generate a baseline
detect-secrets scan > .secrets.baseline
# Audit the baseline interactively
detect-secrets audit .secrets.baseline
[cta]
Pair these tools with a .gitleaks.toml allowlist for test fixtures and documentation examples to reduce false-positive fatigue across the team.
Static analysis examines source code without executing it, catching injection flaws, insecure deserialization, path traversal, and hundreds of other vulnerability classes at the speed of a build step.
Semgrep has become the practitioner's choice for SAST in 2026. It is fast, rule-based, and supports custom patterns written in a readable YAML syntax.
# Install Semgrep
pip install semgrep
# Run the OWASP Top 10 ruleset against a Python project
semgrep --config "p/owasp-top-ten" --output results.sarif --sarif .
# Write a custom rule to detect hardcoded JWT secrets
cat > jwt-hardcoded.yaml << 'EOF'
rules:
- id: hardcoded-jwt-secret
patterns:
- pattern: jwt.encode($PAYLOAD, "$SECRET", ...)
- pattern-not: jwt.encode($PAYLOAD, os.environ[$ENV_VAR], ...)
message: "Hardcoded JWT secret detected. Use environment variables."
languages: [python]
severity: ERROR
EOF
semgrep --config jwt-hardcoded.yaml src/
[cta]
For Java and C# applications, SpotBugs with the FindSecBugs plugin covers JVM-specific vulnerability patterns. For Go, gosec integrates natively:
# Install and run gosec
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec -fmt=sarif -out=gosec-results.sarif ./...
[cta]
Integrating SAST output into GitHub Actions using the SARIF format allows findings to appear directly in pull request reviews, which is where developers are most receptive to fixing them.
# .github/workflows/sast.yml
name: SAST Scan
on: [pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
run: |
pip install semgrep
semgrep --config "p/owasp-top-ten" --sarif --output semgrep.sarif .
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
[cta]
Modern applications are largely composed of open-source dependencies. SCA tools track those dependencies, identify known CVEs, and flag license risks before they reach production.
OWASP Dependency-Check remains a reliable open-source option for Java, .NET, Python, and Node.js projects:
# Run Dependency-Check against a Maven project
dependency-check.sh \
--project "my-app" \
--scan ./target \
--format JSON \
--out ./reports \
--nvdApiKey $NVD_API_KEY
[cta]
Trivy from Aqua Security has emerged as a preferred all-in-one scanner that covers OS packages, language dependencies, container images, and IaC files in a single binary:
# Scan a container image for vulnerabilities
trivy image --severity HIGH,CRITICAL --format json \
--output trivy-report.json \
myregistry.io/myapp:latest
# Scan a filesystem for dependency vulnerabilities
trivy fs --scanners vuln,secret,misconfig .
# Filter to only fixable CVEs
trivy image --ignore-unfixed myregistry.io/myapp:latest
[cta]
For teams using GitHub, Dependabot automates dependency update pull requests. For GitLab, the native Dependency Scanning CI template handles the same function. Neither replaces a dedicated SCA tool for audit reporting, but both reduce mean time to patch.
If your application ships in containers, the image itself is an attack surface. Misconfigured base images, running as root, exposed ports, and outdated system packages are all common findings.
Grype from Anchore scans container images and SBOMs (Software Bill of Materials) with a clean CLI output and SARIF support:
# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Scan a local image
grype myapp:latest --output json > grype-results.json
# Generate and scan an SBOM (using Syft)
syft myapp:latest -o spdx-json > sbom.spdx.json
grype sbom:./sbom.spdx.json
[cta]
Hadolint lints Dockerfiles against best practices and CIS benchmarks:
# Lint a Dockerfile
hadolint Dockerfile
# Example findings it catches:
# DL3008: Pin versions in apt-get install
# DL3009: Delete apt-get lists after install
# SC2086: Quote shell variables to prevent word splitting
[cta]
Dockle goes further by checking the built image against CIS Docker Benchmark controls:
dockle --exit-code 1 --exit-level warn myapp:latest
[cta]
For teams building production Kubernetes workloads, if you are not already running Kyverno or OPA/Gatekeeper admission controllers to enforce image signing and restrict privileged containers, the Redfox Cybersecurity team can help you design and deploy a policy-as-code framework that matches your cluster configuration.
Terraform, Pulumi, Helm charts, and Kubernetes manifests are now code. They carry the same security risks as application code and deserve the same automated scanning.
Checkov from Bridgecrew (Prisma Cloud) is the most comprehensive open-source IaC scanner, covering Terraform, CloudFormation, Kubernetes, Helm, ARM templates, and more:
# Install Checkov
pip install checkov
# Scan a Terraform directory
checkov -d ./infrastructure/terraform \
--framework terraform \
--output cli \
--output sarif \
--output-file-path ./reports
# Scan a Kubernetes manifest
checkov -f k8s/deployment.yaml --framework kubernetes
# Suppress a specific check with a comment in Terraform
# checkov:skip=CKV_AWS_18:Access logging enabled via separate module
[cta]
Terrascan supports policy-as-code written in Rego and integrates with Atlantis for pull-request-based Terraform workflows:
terrascan scan -t aws -i terraform -d ./infra \
--output json > terrascan-output.json
[cta]
KICS (Keeping Infrastructure as Code Secure) from Checkmarx covers an unusually broad range of IaC formats and is particularly strong on Ansible and Docker Compose:
docker run -v "$(pwd)":/path checkmarx/kics:latest scan \
-p /path/ansible-playbooks \
-o /path/kics-results.json
[cta]
Dynamic Application Security Testing runs against a live application or API. It catches vulnerabilities that only manifest at runtime, such as authentication bypasses, SSRF, and broken object-level authorization (BOLA), which SAST consistently misses.
OWASP ZAP (now maintained under the Software Security Project) remains the reference DAST tool for web applications. Its automation framework makes it CI/CD-ready:
# Run a ZAP baseline scan against a staging URL
docker run -v $(pwd):/zap/wrk/:rw \
ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://staging.myapp.io \
-r zap-report.html \
-J zap-report.json \
-l WARN
[cta]
For API-first applications, Nuclei from ProjectDiscovery has become the tool of choice for running authenticated, template-driven scans against REST and GraphQL endpoints:
# Install Nuclei
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Update templates
nuclei -update-templates
# Scan an API with authentication and specific tags
nuclei -u https://api.myapp.io \
-H "Authorization: Bearer $API_TOKEN" \
-tags api,owasp,auth \
-severity high,critical \
-json-export nuclei-api-results.json
[cta]
42Crunch provides OpenAPI-native security testing and is worth evaluating if your team maintains a large API surface with formal OpenAPI specifications.
The last layer protects applications after they are deployed. Runtime security tools detect anomalous behavior, block exploits in progress, and generate forensic signals for incident response.
Falco is the CNCF-graduated standard for Kubernetes runtime threat detection. It monitors system calls and Kubernetes audit logs against a rule engine:
# Custom Falco rule: detect crypto mining indicators
- rule: Crypto Mining Process Launched
desc: Detect processes commonly associated with cryptocurrency mining
condition: >
spawned_process and
(proc.name in (miner_binaries) or
proc.cmdline contains "stratum+tcp" or
proc.cmdline contains "xmrig")
output: >
Crypto mining binary detected
(user=%user.name command=%proc.cmdline container=%container.id)
priority: CRITICAL
tags: [host, container, mitre_execution]
[cta]
Deploy Falco with the Helm chart and forward alerts to your SIEM:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
--namespace falco --create-namespace \
--set falcosidekick.enabled=true \
--set falcosidekick.config.slack.webhookurl=$SLACK_WEBHOOK \
--set falcosidekick.config.webhook.address=https://siem.myorg.io/falco
[cta]
Tetragon from Cilium extends Kubernetes security observability to the kernel level using eBPF, enforcing policies without requiring a sidecar:
# Install Tetragon via Helm
helm repo add cilium https://helm.cilium.io
helm install tetragon cilium/tetragon -n kube-system
# Monitor process execution events in real time
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
tetra getevents -o compact --pods my-app-pod
[cta]
For web application runtime protection, OpenWAF and cloud-native WAF solutions (AWS WAF, Cloudflare WAF) sit in front of application load balancers and block known exploit patterns at the network edge, complementing the eBPF-level visibility that Tetragon provides inside the cluster.
A tool stack only delivers value when it is consistently enforced. The following patterns help teams avoid the common failure mode of running scans that no one reviews.
Fail the build on critical findings. SAST, SCA, and IaC scans should return non-zero exit codes on CRITICAL or HIGH findings, blocking merge until they are resolved or explicitly acknowledged with a suppression comment and a tracking issue.
Centralize findings in a security dashboard. Tools like DefectDojo aggregate SARIF, JSON, and XML output from every scanner into a single deduplicated findings database with SLA tracking. This is particularly important for compliance reporting under SOC 2, ISO 27001, and PCI DSS frameworks.
Use SBOM generation as a build artifact. Every container image that ships to production should have an associated SBOM generated by Syft and stored alongside the image in the registry. This gives you a queryable inventory when a new CVE drops.
# Generate SBOM and attest it to an image using Cosign
syft myapp:latest -o spdx-json > sbom.spdx.json
cosign attest --predicate sbom.spdx.json \
--type spdxjson \
myregistry.io/myapp:latest
[cta]
Enforce image signing. Cosign from the Sigstore project provides keyless or key-based image signing that can be verified by Kyverno admission policies before any workload is scheduled in the cluster.
Building a mature DevSecOps stack in 2026 is not about buying a single platform. It is about assembling the right tools at each pipeline stage, integrating their output into developer workflows, and using the data they generate to drive measurable security improvements over time.
The seven-layer stack covered here, from pre-commit secrets detection through runtime threat response, gives teams overlapping coverage that no single tool can match. Each layer catches a different class of vulnerability, and each integration point reduces the cost of remediation by surfacing findings earlier.
For organizations that want expert guidance on designing, deploying, or red-teaming a DevSecOps pipeline, the security engineers at Redfox Cybersecurity work with development teams across regulated industries to build programs that hold up under real-world attack conditions.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)