Skip to main content

DevSecOps Guide

Objective​

Operate AppSec in delivery pipelines with high reliability, low friction, and clear policy enforcement.

Main responsibilities​

  • Integrate scanners in CI/CD.
  • Enforce security gates by policy.
  • Keep automation stable and observable.
  • Ensure findings flow to the right teams/channels.

Follow-up routine​

  1. Validate pipeline security jobs and failed runs.
  2. Check gate failures by repository/team.
  3. Review scanner coverage (projects/assets onboarded).
  4. Verify alert routing (Slack/Teams/Jira/etc.).
  5. Tune gate policies using recent false-positive/false-negative feedback.
  6. Audit integration health and tokens/credentials.
  7. Review CLI and scanner versions.
  8. Publish a reliability summary for security workflows.

Core workflows in Conviso​

Defect tracker integration​

Integrate Conviso Platform with your issue management tool using Defect/Bug Tracking integrations to synchronize and manage vulnerabilities in your team workflow.

Decision support with Dashboard​

Use the Dashboard as a management layer to track indicators, identify trends, and decide where to act first (for example: unstable pipelines, low scan coverage, or backlog growth).

Automation with CLI and API​

Use New CLI and API to automate repetitive security operations in pipelines, orchestrate scan executions, and standardize security checks across repositories.

Management and collaboration tool​

  • Pipeline security job success rate.
  • Mean time to recover failed security stage.
  • Security gate block rate (trend).
  • Percent of repositories with active security scan coverage.

Playbooks​

Gate is blocking too much​

  1. Identify top failing rules.
  2. Validate if failures are true positives.
  3. Adjust severity thresholds or exception flow.
  4. Re-check impact after one sprint.

Scanner results stopped arriving​

  1. Validate integration credentials and webhook/app status.
  2. Re-run a known project pipeline.
  3. Inspect CLI/scanner logs.
  4. Confirm issues are ingested in Conviso Platform.

Contribute to the Docs

Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.

How to contribute

Resources

By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.

Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.

Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.