Interview › Security & DevSecOps
What is the principle of least privilege, and how do you apply it in CI/CD? [Intermediate]
Answer
Least privilege means every user, workload, and pipeline gets only the permissions required for its job, for only the time needed. In CI/CD, that means scoped tokens, environment-specific roles, approval gates for production, and no broad admin credentials in build systems.
Technical explanation
Pipeline identities should be separated by repository, environment, and action such as build, deploy-dev, deploy-prod, or rollback.
Secrets should be scoped and short-lived, ideally issued through OIDC or workload identity.
Permissions should be reviewed through IAM analysis, audit logs, and automated policy checks.
Hands-on example
Example: a PR build role can read dependencies and push test artifacts but cannot deploy. A staging deploy role can update only the staging namespace. A production deploy role requires protected branch, signed artifact, approval, and a narrowly scoped cloud/IAM role.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]