DevSecOps Services

• Developer workstation: Pre-commit hooks detect secrets before commit (git-secrets, GitLeaks), lint for obvious security anti-patterns, enforce branch naming conventions.
• Pull Request (SAST): Static analysis of application code Semgrep (rule-based SAST, 1,000+ security rules, fast), CodeQL (GitHub-native semantic analysis), Bandit (Python security linter). Detects injection flaws, insecure deserialisation, broken authentication patterns.
• Pull Request (Dependency scan): Identify known CVEs in application dependencies via Snyk (SCA Software Composition Analysis), Dependabot (GitHub-native auto-creates PRs for vulnerable dependencies), OWASP Dependency-Check.
• Build (Container scan): Scan container image layers for OS package CVEs and misconfiguration before pushing to registry via Trivy (fastest, most comprehensive scans OS packages, app dependencies, Dockerfile misconfigs, SBOM generation). Blocks deployment of images with critical vulnerabilities.
• Build (SBOM generation): Generate Software Bill of Materials using Syft (Anchore SBOM in SPDX or CycloneDX format), sign with cosign, store in ECR alongside container image. Required by US Executive Order 14028 for federal software suppliers.
• Infrastructure (Policy-as-Code): Validate Terraform plans and Kubernetes manifests against security policies before applying via OPA (Open Policy Agent), Conftest, Checkov, tfsec. Reject resources that violate security standards (S3 bucket with public access, RDS without encryption, IAM role with wildcard permissions).
• DAST (Staging): Dynamic Application Security Testing against staging environment via OWASP ZAP (proxy-based active scanner automated scan + authenticated scan), Burp Suite (manual + automated), Nuclei (template-based scanner).
• Production (Runtime security): Detect and alert on suspicious behaviour in running containers via Falco (CNCF project Kubernetes runtime security, kernel-level syscall monitoring), alert on policy violations, unexpected network connections, privilege escalation attempts, container breakout indicators. AWS GuardDuty for ML-based threat detection at AWS account level.

SAST (Static Application Security Testing) analyses source code without executing it looking for security vulnerabilities in the code itself (SQL injection patterns, insecure direct object references, hardcoded credentials, dangerous API usage). SAST runs at pull request time before code is deployed. DAST (Dynamic Application Security Testing) tests the running application from the outside sending malicious inputs and observing responses, the same way an attacker would probe the live application. DAST runs against a staging environment. Both are necessary: SAST catches code-level vulnerabilities early and cheaply; DAST catches configuration vulnerabilities, business logic flaws, and runtime security issues that SAST cannot detect because they only manifest in the running application.

An SBOM (Software Bill of Materials) is a complete inventory of every software component in an application every library, package, and dependency, with version numbers and licence information. It is analogous to an ingredients list for software. Enterprise and government buyers require SBOMs because: US Executive Order 14028 (May 2021) mandates that software sold to the US federal government must include an SBOM; enterprise procurement security teams use SBOMs to assess supply chain risk identifying whether your application contains a vulnerable version of a widely exploited library (e.g., Log4j); and SBOM enables continuous vulnerability monitoring as new CVEs are disclosed, the buyer can check whether their vendor's software is affected. ClickMasters generates SBOMs using Syft (producing SPDX or CycloneDX format) as part of the container build pipeline, signs them with cosign, and stores them in ECR alongside the container image.