DevSecOps Overview

Microtec ERP's DevSecOps program embeds security controls directly into the Azure DevOps pipeline so that every service — backend, frontend, mobile, and infrastructure — is scanned, reviewed, and verified before any artifact reaches a runtime environment.

---

Security Model: Central Team + Consumer Extension

┌─────────────────────────────────────────────────────────┐
│              Security Team (owns thresholds)            │
│  DevSecOps/templates/security-pipeline-template.yml     │
│  DevSecOps/config/thresholds.yml                        │
│  DevSecOps/config/repo-registry.yml                     │
└───────────────────────┬─────────────────────────────────┘
                        │ extends
          ┌─────────────┼──────────────┐
          ▼             ▼              ▼
   Platforms/      InfraServices/  WorkflowDesigner/
   azure-pipelines  azure-pipelines  azure-pipelines
   .yml            .yml             .yml

Key principle: each product team consumes the shared security pipeline template. The security team controls severity thresholds in a single location (thresholds.yml). Product teams cannot lower thresholds unilaterally — they must raise a PR to the DevSecOps repository.

---

16-Stage Security Pipeline

Stage 1   ──► Secret scanning         (Gitleaks)
Stage 2   ──► SAST                    (SonarCloud)
Stage 3   ──► Dependency CVEs         (OWASP DC)
Stage 4   ──► Dependency vulns        (Trivy deps)
Stage 5   ──► IaC scanning            (Trivy IaC — Bicep/YAML)
Stage 6   ──► Dockerfile linting      (Hadolint)
Stage 7   ──► Build + Unit Tests      (.NET / Node / Flutter)
Stage 8   ──► Docker build            (Container build)
Stage 9   ──► Image scanning          (Trivy container)
Stage 10  ──► SBOM generation         (Syft)
Stage 11  ──► Integration Tests       (REST Assured / Newman)
Stage 12  ──► AI code review          (Azure OpenAI GPT-4o)
Stage 13  ──► DAST                    (OWASP ZAP)
Stage 14  ──► Security report         (HTML + PDF publish)
Stage 15  ──► Notifications           (Teams webhook)
Stage 16  ──► Archive                 (Artifacts to storage account)

All stages run within a single pipeline triggered on every PR and on every merge to main/stage/preprod/uat/production.

---

Multi-Language Support Matrix

Language / Platform	SAST	Deps	Container	DAST
C# (.NET 8)	SonarCloud	OWASP DC + Trivy	Trivy	ZAP
TypeScript (Angular 17)	SonarCloud	Trivy	Trivy	ZAP
Dart (Flutter)	SonarCloud	Trivy	N/A (mobile)	N/A
Bicep / YAML (IaC)	Trivy IaC	N/A	N/A	N/A
Dockerfile	Hadolint	N/A	Trivy image	N/A

Note: SonarCloud's analysis engine auto-detects language per repository. No per-language configuration is required beyond the .sonarcloud.properties file.

---

All Tools at a Glance

Tool	Stage	Category	Blocks Pipeline	Threshold
Gitleaks	1	Secret detection	Yes	Any secret
SonarCloud	2	SAST / Quality gate	Yes	Quality gate fail
OWASP Dependency-Check	3	CVE / SCA	Yes	Critical or High CVE
Trivy (dependencies)	4	SCA	Yes	Critical
Trivy (IaC)	5	Misconfiguration	Yes	High
Hadolint	6	Dockerfile lint	Yes	Error level
.NET Test / npm test	7	Unit testing	Yes	Any test failure
Docker build	8	CI artifact	Yes	Build failure
Trivy (image)	9	Container CVE	Yes	Critical
Syft	10	SBOM	No	Informational
Integration Tests	11	Functional	Yes	Any test failure
Azure OpenAI	12	AI review	No	Advisory only
OWASP ZAP	13	DAST	Yes	High
Report generator	14	Reporting	No	N/A
Teams notifier	15	Notification	No	N/A
Storage archiver	16	Archive	No	N/A

---

Repo Registry Concept

The repo registry (DevSecOps/config/repo-registry.yml) is a YAML manifest that catalogues every repository participating in the DevSecOps pipeline. It answers:

• Which repositories consume the shared template?
• What language does each repo use?
• Where is the Dockerfile and test project?
• What is the SonarCloud project key?

See repo-registry.md for the full schema and onboarding steps.

---

Pipeline Trigger Strategy

# Conceptual trigger — defined in each repo's azure-pipelines.yml
trigger:
  branches:
    include:
      - main
      - stage
      - preprod
      - uat
      - production
  paths:
    exclude:
      - docs/**
      - '*.md'

pr:
  branches:
    include:
      - main
      - stage

Paths such as docs/ and Markdown files are excluded from pipeline triggers to prevent documentation-only commits from consuming pipeline minutes.

---

Centralized Threshold Configuration

DevSecOps/config/thresholds.yml contains all tunable blocking conditions:

gitleaks:
  blockOnAnySecret: true

sonarcloud:
  blockOnQualityGateFail: true

owaspDependencyCheck:
  failBuildOnCVSS: 7          # blocks on High+Critical

trivy:
  deps:
    severity: CRITICAL
  iac:
    severity: HIGH
  image:
    severity: CRITICAL

hadolint:
  failureThreshold: error     # error | warning | info | style

owaspZap:
  riskCode: 3                 # 3=High, 2=Medium, 1=Low

Product teams can propose changes via PR; the security team reviews and merges.

---

Related Pages

• Pipeline Stages — detailed breakdown of all 16 stages
• SonarCloud SAST
• Gitleaks
• Trivy
• Repo Registry