Chapter 6. Conclusion and Next Steps

You just built a local-first DevSecOps stack that runs anywhere a laptop does. It ships a working app on day one, grows in small, testable waves, produces evidence for every step, and hardens both your supply chain and runtime without cloud spend.

This chapter helps you (1) summarize what you’ve built, (2) ratchet quality safely, (3) map your make targets to a hosted CI, and (4) roll it out with sane ownership, SLAs, and audit-ready artifacts. Finally, you’ll get a compact “what’s next” backlog.

5.1 What You Built (at a glance)

AreaYou now haveEvidence
Build & Scanmake ci runs SAST (Semgrep), secrets (TruffleHog), Dockerfile lint (Hadolint), IaC (Checkov), SBOM (Syft), container SCA (Trivy)./artifacts/* (JSON/TXT/HTML)
Supply ChainSBOMs + Cosign signature bundle, Trivy gate, SBOM diff, license checksbom.json, sbom.bundle, trivy-image.json, sbom-diff.txt, license-scan.txt
Deploy (Local)make cd builds → scans → promotes → loads to Minikube → applies k8s → rollout verifykubectl rollout status, k8s-verify
Runtime GuardrailsKyverno (verify images, org-allow), Pod Security (restricted), RBAC least privilege, NetworkPoliciespolicies/*.yaml, artifacts/policy-apply.txt, artifacts/rbac-verify.txt
TestingZAP baseline DAST, simple WAF demoartifacts/zap/*, artifacts/waf-test.txt
ProcessEvidence ZIP, tuned blocking policy, vuln mgmt lifecycle (optional DefectDojo)artifacts/evidence-YYYY-MM-DD.zip, ARTIFACTS.md

Design principles: local, offline-friendly, copy-pasteable commands, minimal moving parts, and every change leaves a trail in ./artifacts.

5.2 Ratcheting & Blocking (6-week roadmap you can actually keep)

Start permissive, tune noise, then gradually enforce. Each step adds one small risk reduction with clear success signals.

WeekChangeRationaleSuccess signal
1Secrets: block verified credentials; warn the restHigh signal, low false-positive rate0 spurious breaks; verified hits get fixed same day
2SAST: block a curated High/Critical setCatch top OWASP issues earlyPRs fail only on real, fixable code issues
3SCA: block Critical (and High w/ fixes)Remove known-bad libs from imagesTrivy High/Critical = 0 in RC images
4IaC: enforce runAsNonRoot, seccomp, probes, drop capsSafe runtime defaults; resilienceCheckov failed→0 for key rules
5Admission: Kyverno verifyImages + org-allowStop untrusted images from runningBad pods denied; policy test shows “deny/allow” as expected
6Licenses: WARN → ENFORCE allowlistLegal & commercial hygieneNo “DISALLOWED” licenses in release builds

Keep the ratchet visible: add a short “Blocking Policy” section to your repo README with the current gates and how to request an exception.

5.3 From Laptop → Hosted CI (thin wrappers around make)

Your Makefile is the contract. CI jobs stay tiny and durable.

Example — GitHub Actions

name: ship-securely
on:
  pull_request:
  push:
    branches: [ main ]

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - name: Run CI (local parity)
        run: make ci

  gate-and-artifacts:
    needs: build-and-scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Enforce SCA gate & collect evidence
        run: |
          make sca
          make evidence || true
      - uses: actions/upload-artifact@v4
        with:
          name: artifacts
          path: artifacts/**

Mapping Cheat-Sheet

Make targetGitHub ActionsGitLab CIJenkins
cijob build-and-scanrun: make cistage buildscript: make ci“Build” stage shell step
promoteneeds: build-and-scanrun: make promotestage releasepost-build step
k8s-auditjob k8s-auditrun: make k8s-auditstage test“Test” stage
kyverno-*cluster context in staging envsamesame
evidenceupload artifactsartifacts:archive artifacts

For staged environments, call the same targets; just swap kubeconfig/namespace via environment variables.

5.4 Operating Model (RACI, cadence, SLAs)

Ownership

ActivityDevSecurityOps/Platform
Fix SAST/Secrets/IaC in owned codeRCI
Curate rules, tune noiseCRC
Kyverno/PSA/NetPol policyIRR
SBOM/sign/SCA thresholdsIRR
Weekly triage & SLAsR (for their code)R (policy + coaching)C
Evidence & auditsCRR
  • SLAs (starter): Critical ≤ 7d, High ≤ 30d, Medium ≤ 90d.
  • Ceremonies: 15-min weekly triage; monthly “ratchet” review; quarterly policy refresh.

5.5 Compliance Cheat-Sheet (show, don’t tell)

AskShow thisWhere
“Prove you scan code & images”semgrep.json, trivy-image.json./artifacts
“Prove SBOM + integrity”sbom.json, sbom.bundle (+ cosign verify)./artifacts
“Prove supply-chain policy”Kyverno verify-image-signatures.yaml, policy-apply.txt./policies, ./artifacts
“Prove runtime limits”Deployment securityContext, NetworkPolicy YAMLsinfra/k8s/**
“Prove findings are managed”Evidence ZIP, ARTIFACTS.md (or DefectDojo export)./artifacts

5.6 What’s Next (sane backlog)

ItemWhyEffort
Provenance (SLSA) with cosign attestTrust the how of the build, not just the bitsMed
Commit signing & branch protectionsReduce supply-chain PR tamperingLow
Renovate/Dependabot (self-host ok)Keep deps fresh, shrink CVE surfaceLow
External Secrets OperatorPull secrets from KMS without plaintext in GitMed
kube-bench (CIS)Cluster baseline scorecardMed
Centralized alertsTurn ZAP/Kyverno/Falco into notificationsMed
CI templatesPublish your make wrappers for the orgLow

5.7 Thank You & Call-to-Action

If this book helped you, consider:

  • Keep building: fork the starter repo, adapt the Makefile, and add one control per sprint.
  • Stay current: subscribe to the mailing list (free PDF, update notes, and new checklists).
  • Go deeper with your team: workshops, ruleset curation, or a focused pentest on your app’s threat model.
  • Give back: open a PR with improvements to the demo app, policies, or docs.

You now have a working, auditable DevSecOps stack that fits in your backpack. Keep it small, keep it practical, and keep shipping—securely.