Cloud Native ComputingContributory Expert VoicesDevelopersDevOpsKubernetesSecurity

GitOps Enables Security as Code


As enterprises push to automate and drive ever faster application deployments through Kubernetes-managed containerized workloads, security can get left behind. DevOps breaks down barriers between development and operations teams and creates a seamless production pipeline that churns out code quickly and at scale. But DevOps comes with its own security challenges.

Increased collaboration between development and operations teams means that privileged information gets swapped around a lot, which can cause poorly managed secrets and keys to become exposed. As the teams come together, undefined roles and policies may emerge that lead to major gaps in security. And with accelerated development comes more coding mistakes that lead to exploitable misconfigurations and bugs. It is no longer enough to tack security on to the end of the pipeline – it has to be implemented from source to production.

That’s where GitOps comes in, and with it, the concept of trusted delivery.

GitOps: A secure by design framework

GitOps uses Git as a single source of truth for declarative applications and infrastructure, allowing software to be deployed in a fast and automated manner without compromising security.


By making infrastructure declarative, GitOps treats everything as code and guarantees configurations by a set of facts stored in Git rather than a set of instructions. This extends to treating security as code, which means that compliance and security are ensured by a set of codified standards, often defined in YAML, that are consistently applied across all environments from source to production. Software agents generate alerts when they discover divergence between Git and what’s running in a cluster, and Kubernetes reconcilers either update or roll back the cluster automatically.

Automating the process of monitoring, alerting, and reconciling any divergence reduces the element of human error while improving the security and reliability of making changes. Having a unified workflow for both code and infrastructure also ensures that security best practices are consistently applied across the pipeline.

Policy as code for continuous security

With GitOps, security is no longer tacked on to the end of the pipeline. Instead, security testing is done every time a change is committed to Git. This lets you catch catastrophic bugs and critical vulnerabilities early in the development cycle before any code reaches production. Policy as code also helps shift security left by automating testing at every phase, thus eliminating security bottlenecks that could slow down development. In essence, GitOps incorporates continuous security into the continuous integration / continuous deployment (CI/CD) pipeline.

Auditable source of truth

With GitOps, all changes to your system are stored in version control, with Git serving as the canonical source of truth from which your system is derived. This allows you to immediately roll back changes to a previous state and quickly recover from catastrophic systems failures. Requiring committers to sign commits with their SSH key also allows you to trace back authorship and guarantee the provenance of your code. This audit trail gives you a history of comments and reviews with information about every change committed to Git, including the author, time, and reason.

Trusted Delivery

All of these security advantages of GitOps enable what is known as trusted delivery. Trusted delivery allows DevOps teams to deploy applications speedily while also ensuring that every release is protected by automated guardrails using policy as code.  These guardrails and policies are written as code and built into the pipeline to ensure security and compliance according to industry mandates.

Some of the key advantages of trusted delivery are summed up here:

  1. Consistent security and compliance enforcement across your workflows: Trusted delivery means that security best practices are applied to all your Kubernetes environments in a consistent manner. Development, operations, and security teams will be able to break down silos and unify their infrastructure, policies, and goals to shift security left.
  2. Automated guardrails for deployments to production: By programmatically enforcing security standards using policy as code, organizations can better fortify their security posture. Any policy violation will be caught early in the development lifecycle and concerned teams alerted. You can set up developer guardrails at multiple points along the software delivery pipeline:
  • Commit
  • Build
  • Deploy
  • Runtime
  1. Support for DevSecOps across the pipeline: As you transition from DevOps to DevSecOps, adopting policy as code at every stage in your GitOps pipeline lets you seamlessly and comprehensively integrate security into your workflows. With trusted delivery, you can ensure that your Kubernetes environments have built-in protection against threats and vulnerabilities, particularly those caused by human error.

How Can You Ensure Trusted Delivery?

Integrating policy as code into CI/CD pipelines, using a policy engine, and defining policies declaratively, are great first steps you can take to ensure trusted application delivery. A policy engine will continuously monitor your cloud resources for infrastructure-as-code violations, configuration drift, and risky deployments, immediately remediating any violations.

When GitOps teams integrate policy as code within their workflows, it helps build secure developer-centric experiences with continuous deployment for cloud-native applications.

Organizations can also apply governance standards across clusters with a single click when enforcing policy as code, deploy policy checks across cloud environments, and validate infrastructure compliance protocols.

This approach also allows development teams to create and enforce a centralized playbook across the SLDC. This will help accelerate development, implement best practices, and automate security protocols across iterations.

Trusted Delivery – policy as code in GitOps pipelines – goes a long way in boosting innovation and time-to-market.

Weave GitOps offers 100+ OPA-based policies that you can use to instantly secure your cloud in a consistent manner across all environments from source to production through the Weave Policy Library. The library features industry standards policies such as CIS, NIST, PCI DSS, MITRE ATT&CK, HIPAA, GDPR, and more. Embedding security as code into CI/CD pipelines is important in bridging the gap between teams (DevOps and security) and automating processes so that human error is minimized.

Twain Taylor, Tech Analyst & Influencer