DevSecOps CI/CD Pipeline Security Checklist

This DevSecOps CI/CD pipeline security checklist ensures compliance with NIST SP 800-218 Secure Software Development Framework (SSDF), SLSA Framework v1.0 Supply Chain Levels, CISA Software Supply Chain Security Guidance, and Executive Order 14028 software security requirements. Designed for DevSecOps teams to embed security into every stage of the delivery pipeline.

• Industry: Telecommunications & IT
• Frequency: Per Release / Quarterly Review
• Estimated Time: 30-45 minutes
• Role: DevSecOps Engineer / Application Security Lead
• Total Items: 13
• Compliance: NIST SP 800-218 Secure Software Development Framework (SSDF), SLSA Framework v1.0 Supply Chain Levels for Software Artifacts, OWASP Top 10 CI/CD Security Risks (2022), CISA Software Supply Chain Security Guidance, EO 14028 Improving Nation's Cybersecurity - Software Security

Source Code Security

SAST, secrets detection, and code review requirements.

• SAST (Static Analysis) runs on every pull request and blocks merges with critical findings?
• Secrets/credential scanning (GitGuardian/Gitleaks/TruffleHog) active on all repos?
• Mandatory peer code review required before merging to main/protected branches?
• Branch protection rules: signed commits, PR reviews, no force-push on main?

Dependency and Supply Chain Security

SCA scanning, SBOM generation, and dependency pinning.

• Software Composition Analysis (SCA) scanning all third-party dependencies?
• Critical/High CVEs in dependencies block the build pipeline?
• SBOM (Software Bill of Materials) generated per release (SPDX or CycloneDX)?
• Third-party actions/images pinned to exact SHA digest (not floating tags)?

Build and Artifact Integrity

Build provenance, signing, and artifact verification.

• Build provenance attestations generated for all artifacts (SLSA Level 2+)?
• Container images and binaries signed with Cosign/Sigstore or GPG?
• IaC security scanning (Checkov/tfsec/Trivy) on all Terraform/CloudFormation?
• DAST (Dynamic Analysis) run against staging environment before production?
• DevSecOps Pipeline Security Notes

Related IT & Data Security Checklists

• Cloud Disaster Recovery Test and Business Continuity Checklist
• Cloud Compliance and Regulatory Audit Readiness Checklist
• Container and Docker Security Audit Checklist
• Smart Grid and OT/ICS Cybersecurity Assessment Checklist
• Cloud Cost Management and FinOps Governance Checklist
• Cloud Migration Assessment and Readiness Checklist
• Fiber Optic Splicing Quality and Compliance Checklist
• OTDR Acceptance Test and Fiber Link Certification Checklist

Related Cybersecurity Checklists

• Batch 4G Cyber Checklist 1 - FREE Download
• Batch 4G Cyber Checklist 2 - FREE Download
• Batch 4G Cyber Checklist 3 - FREE Download
• Batch 4G Cyber Checklist 4 - FREE Download
• Batch 4G Cyber Checklist 5 - FREE Download
• Batch 4G Cyber Checklist 6 - FREE Download
• Batch 4G Cyber Checklist 7 - FREE Download
• Batch 4G Cyber Checklist 8 - FREE Download
• Batch 4G Cyber Checklist 9 - FREE Download
• Batch 4G Cyber Checklist 10 - FREE Download

Why Use This DevSecOps CI/CD Pipeline Security Checklist?

This devsecops ci/cd pipeline security checklist helps telecommunications & it teams maintain compliance and operational excellence. Designed for devsecops engineer / application security lead professionals, this checklist covers 13 critical inspection points across 3 sections. Recommended frequency: per release / quarterly review.

Ensures compliance with NIST SP 800-218 Secure Software Development Framework (SSDF), SLSA Framework v1.0 Supply Chain Levels for Software Artifacts, OWASP Top 10 CI/CD Security Risks (2022), CISA Software Supply Chain Security Guidance, EO 14028 Improving Nation's Cybersecurity - Software Security. Regulatory-aligned for audit readiness and inspection documentation.

Frequently Asked Questions

Browse More Checklists

• All Cybersecurity Checklists
• It Data Security Checklists
• Browse 7,200+ Free Checklist Templates
• Operations Blog
• Book a Demo