What does it mean to 'shift security left' in a CI/CD pipeline, and what kinds of automated checks would you add to a build?

technical-conceptual · Junior level · cloud-devops-security

What the interviewer is really asking

Assess whether the candidate understands that DevSecOps moves security earlier in the lifecycle so issues are caught cheaply, and can name the concrete gates (SAST, SCA, secret scanning, IaC and container scanning, DAST) and where each runs.

What to say

What to avoid

Example answers

Strong: On a service I worked on we added two gates to the pull-request build: SCA to flag dependencies with known CVEs and secret scanning to block committed keys. SAST ran on the same trigger for code flaws, and we kept DAST on a nightly run against staging since it needs the app deployed. Catching a leaked token at the PR meant we never had to rotate it in production.

Weak: Shift left just means doing security earlier. I'd add a security scan to the pipeline and fail the build if it finds anything.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.