DevSecOps: tools to shift left

Trivy — one of the scanners named in the March 29 stack — was the subject of a supply‑chain compromise on March 19, 2026 when attackers force‑pushed 75 of 76 tags in aquasecurity/trivy-action, turning the GitHub Action into a credential‑stealing vector. (snyk.io) Security responders advised immediate remediation after the March 19 window: pin Actions to immutable commit SHAs, rotate any CI/CD secrets that ran affected tags, inspect workflow logs for outbound connections, and verify artifacts via signature/transparency checks such as cosign/Rekor. (microsoft.com) Gitleaks — the secret‑scanner in the suggested stack — is an actively maintained open‑source project with tens of thousands of stars on GitHub and explicit support for pre‑commit hooks and CI integration to catch hardcoded secrets at the commit stage. (github.com) Semgrep’s documentation shows it’s commonly run in CI/Pull‑Request jobs to provide fast, customizable SAST feedback (diff‑aware PR scans and a rules registry are core features), making it a practical tool for shifting code checks into pre‑merge workflows. (semgrep.dev) Snyk’s platform is built to operate in pull‑request and CI pipelines for software composition analysis and IaC scanning — its GitHub Actions and PR checks automate dependency and infrastructure scanning and can open auto‑fix PRs when issues are found. (docs.snyk.io) For deploy‑time gating, organizations cited OPA (via Gatekeeper) and Kyverno as production admission controllers that enforce policy as code inside Kubernetes clusters, and several end‑to‑end community repos combine Gitleaks, Semgrep, Snyk, Trivy and policy engines to demonstrate a “commit→build→deploy→prod” enforcement pipeline. (openpolicyagent.org) (kyverno.io) (github.com)