← Writing

CI/CD Security Gates: What Most Teams Skip

8 November 2024·1 min read
[DevSecOps][CI/CD][Engineering]

CI/CD Security Gates: What Most Teams Skip

"Shift left" has become one of those phrases that means everything and nothing. Teams add a vulnerability scanner to the pipeline, watch it produce a 200-item report that nobody reads, and declare victory.

Real security gating is about hard blocks, not reports. It's about knowing which findings actually represent risk in your specific codebase and build pipeline — and failing the build on those, not on every theoretical CVSS 7.0 that affects a library you use but haven't loaded.

I built a pipeline with embedded SAST via Semgrep, dependency auditing, and policy-as-code checks that eliminated 80% of low-hanging-fruit findings before they ever reached a human reviewer. Full breakdown in progress — coming soon.