DevSecOps Guide

Objective

Operate AppSec in delivery pipelines with high reliability, low friction, and clear policy enforcement.

Main responsibilities

Integrate scanners in CI/CD.
Enforce security gates by policy.
Keep automation stable and observable.
Ensure findings flow to the right teams/channels.

Follow-up routine

Validate pipeline security jobs and failed runs.
Check gate failures by repository/team.
Review scanner coverage (projects/assets onboarded).
Verify alert routing (Slack/Teams/Jira/etc.).
Tune gate policies using recent false-positive/false-negative feedback.
Audit integration health and tokens/credentials.
Review CLI and scanner versions.
Publish a reliability summary for security workflows.

Core workflows in Conviso

Configure integrations: Integrations
Manage security gates: Security Gate
Monitor findings backlog: Vulnerabilities
Understand which statuses count as open: Workflow Status
Review the operational handling flow: Process

Defect tracker integration

Integrate Conviso Platform with your issue management tool using Defect/Bug Tracking integrations to synchronize and manage vulnerabilities in your team workflow.

Decision support with Dashboard

Use the Dashboard as a management layer to track indicators, identify trends, and decide where to act first (for example: unstable pipelines, low scan coverage, or backlog growth).

Automation with CLI and API

Use New CLI and API to automate repetitive security operations in pipelines, orchestrate scan executions, and standardize security checks across repositories.

Management and collaboration tool

Notifications and follow-up signals: Notifications Center

Recommended KPIs

Pipeline security job success rate.
Mean time to recover failed security stage.
Security gate block rate (trend).
Percent of repositories with active security scan coverage.

Playbooks

Gate is blocking too much

Identify top failing rules.
Validate if failures are true positives.
Adjust severity thresholds or exception flow.
Re-check impact after one sprint.

Scanner results stopped arriving

Validate integration credentials and webhook/app status.
Re-run a known project pipeline.
Inspect CLI/scanner logs.
Confirm issues are ingested in Conviso Platform.

Contribute to the Docs

Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.

How to contribute

Resources

By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.

Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.

Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.

Objective​

Main responsibilities​

Follow-up routine​

Core workflows in Conviso​

Defect tracker integration​

Decision support with Dashboard​

Automation with CLI and API​

Management and collaboration tool​

Recommended KPIs​

Playbooks​

Gate is blocking too much​

Scanner results stopped arriving​