Whether it’s 2025 or already 2026, just writing code and pushing it to production is no longer enough. Keeping your code secure before it reaches production has become a top priority.
Today, most companies follow one rule: “Add security from the start, or do not deploy.”
That is exactly what DevSecOps is all about. Security is not a separate step at the end — it runs together with development and operations from day one.
What is DevSecOps?
DevSecOps is similar to DevOps, but with one major difference — security is a first-class priority, not an afterthought.
- Old DevOps: Developers write code → Operations team deploys it.
- DevSecOps: Developers write code → Security checks run automatically → Only safe code gets deployed.
On Linux systems, you can build this kind of secure pipeline using free, open-source tools — and it is easier than you think.
Tools We Will Use
- GitLab CI or GitHub Actions – to run the pipeline
- Trivy – scans container images for vulnerabilities
- Hadolint – checks your Dockerfile for mistakes
- Semgrep or Bandit – finds security issues in Python, Go, and other code
- tfsec or Checkov – scans Terraform files for misconfigurations
- OWASP ZAP or Nikto – runs basic web application security scans
Step-by-Step: Build a Secure CI/CD Pipeline on Linux
Step 1: Prepare Your Linux Server or Runner
Any Ubuntu 22.04 or Rocky Linux 9 machine works. Start by installing the basic dependencies:
sudo apt update && sudo apt install -y docker.io git curlThen add your user to the Docker group so you can run Docker without sudo:
sudo usermod -aG docker $USERLog out and log back in for the group change to take effect.
Step 2: Install the Security Tools
You only need to do this once on your runner or server.
Install Trivy – for container image scanning:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
Install Hadolint – for Dockerfile linting:
wget https://github.com/hadolint/hadolint/releases/download/v2.14.0/hadolint-Linux-x86_64 -O /usr/local/bin/hadolint
chmod +x /usr/local/bin/hadolint
Install Semgrep – for source code scanning:
pip install semgrepStep 3: Create Your Pipeline Configuration
Below is a .gitlab-ci.yml example. If you use GitHub Actions, the structure is slightly different but the same tools and commands apply.
stages:
- static-analysis
- container-scan
- deploy
code_quality:
stage: static-analysis
script:
- semgrep ci --config auto
- hadolint Dockerfile
only:
- merge_requests
- main
container_security_scan:
stage: container-scan
script:
- docker build -t myapp:latest .
- trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:latest
only:
- main
deploy_to_production:
stage: deploy
script:
- docker push myapp:latest
- ssh prod-server "docker pull myapp:latest && docker-compose up -d"
only:
- main
when: manual
What happens in this pipeline?
- Every push or merge request → Semgrep scans your code for secrets, bad cryptography, SQL injection, and more.
- Hadolint checks your Dockerfile for common mistakes like running as root or using the
latesttag. - When you merge to
main→ Docker builds the image and Trivy scans it for vulnerabilities. - If Trivy finds any HIGH or CRITICAL issues, the pipeline stops automatically — nothing gets deployed.
- The final deploy step is set to
when: manual, so a human presses the button only after all scans pass.
Step 4: Add Secrets Detection
Accidentally committing API keys, passwords, or private keys is one of the most common security mistakes. Add this job to catch them automatically:
secrets_scan:
stage: static-analysis
script:
- trivy config --exit-code 1 .
allow_failure: false
This scans your entire repository for AWS keys, database passwords, private keys, and similar sensitive data before any code is merged.
Step 5: Scan Infrastructure as Code (Terraform)
If your team uses Terraform, add this job to catch misconfigurations before they reach your cloud environment:
iac_scan:
stage: static-analysis
script:
- checkov -d . --skip-check CKV_AWS_1,CKV_AWS_2
The --skip-check flag lets you ignore specific rules that do not apply to your setup.
Real Results Teams Are Seeing in 2026
- 90% of common vulnerabilities are caught before code ever reaches production.
- No more “we forgot to scan the image” surprises before a release.
- Security teams are satisfied because nothing slips through.
- Developers still move fast because everything runs automatically in the background.
Quick Security Checklist
Before you go live with your pipeline, check these off:
- Security tools are running inside the pipeline — not manually on someone’s laptop.
- The build fails automatically on HIGH or CRITICAL vulnerabilities.
- No hardcoded secrets in the code — use GitLab CI variables or HashiCorp Vault instead.
- Pipeline scans cover: Dockerfile, source code, container images, and Terraform files.
- Tools are updated at least once a month to get the latest vulnerability signatures.
Conclusion
That’s it. Follow these steps and your Linux-based CI/CD pipeline will be secure without slowing your team down.
Start small — add one scan at a time. Within two weeks, your pipeline will catch issues automatically and your team will ship code with much more confidence.
Start with Trivy or Semgrep today. Both are free, easy to install, and catch real vulnerabilities.
Let us know in the comments — which tool did you start with first?