DevSecOps checklist
A compact CI/CD security playbook is trending: pre‑commit SAST/SCA, container image scans, runtime policy enforcement with OPA/Kyverno, plus CSPM/CWPP for cloud posture — essentially 'security as code' for pipelines (x.com). This is practical for embedding security gates early and automating remediation in your Apple‑targeted build/test flows (x.com).
GitLab’s 2023 Global DevSecOps report was based on a survey of 5,010 IT leaders and documents the industry move to “shift left” security into CI/CD workflows. (about.gitlab.com) Recent pipeline checklists name concrete tooling for early gates — Semgrep for SAST, Gitleaks or TruffleHog for secret scanning, and Snyk or other SCA tools integrated at PR time. (stagefoursecurity.com) Build-stage controls commonly pair Trivy vulnerability scans with Cosign/Sigstore signing for image provenance, and platform docs recommend running container scans in the build step before registry push. (hazetec.com) Policy-as-code is moving into runtime: Open Policy Agent remains a CNCF‑graduated policy engine and Kyverno provides Kubernetes-native YAML policies for admission control. (openpolicyagent.org) Production examples show scale — Wayfair reported operating roughly 56 Kyverno validating rules and about 20 mutate policies across its multi‑tenant clusters to enforce platform guardrails. (z5capital.com) Cloud posture and workload protection are consolidating into CNAPP stacks as budgets rise; ResearchAndMarkets estimated the CSPM market at about USD 7 billion in 2025 while vendor guidance stresses integrating CSPM/CWPP with CI/CD. (researchandmarkets.com) Apple-targeted pipelines carry additional operational requirements: Xcode Cloud is Apple’s managed CI service for building, testing and distributing Apple platform apps, and notarization rules changed on November 1, 2023 when Apple stopped accepting uploads from altool or Xcode 13 and earlier. (developer.apple.com) CI/CD for macOS also demands correct code‑signing artifacts in the pipeline — projects typically must provision an Apple Distribution certificate plus a 3rd‑Party Mac Developer Installer certificate for successful signing and notarization in automated flows. (msicc.net) Orchestration guidance for these gates emphasizes sequencing and signal quality: run fast pre‑commit checks, block on exploitable high‑severity findings, and route lower‑risk issues into automated remediation so platform velocity is preserved. (devops-daily.com)
