Interview › Security & DevSecOps
How would you design a secure-by-default CI/CD pipeline from scratch? [Advanced]
Answer
A secure-by-default CI/CD pipeline should start with protected source control, strong identity, fast security feedback, trusted builds, signed artifacts, policy-gated deployments, least-privilege credentials, and continuous evidence. Security should be automated into each stage rather than added as a manual release checklist.
Technical explanation
Source: branch protection, reviews, CODEOWNERS, secret scanning, signed commits if required, and dependency review.
Build: ephemeral runners, SAST, SCA, tests, image scan, SBOM, provenance, and artifact signing.
Deploy: OIDC credentials, environment approvals, IaC policies, admission control, signature verification, progressive rollout, observability, and audit logging.
Hands-on example
Design: PR checks run tests/SAST/SCA/secrets. Main build creates image by digest, generates SBOM and provenance, signs with cosign. Promotion requires quality gate and approval. Kubernetes admission verifies registry, signature, provenance, nonroot securityContext, and allowed namespace policies before rollout.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]