The Ultimate DevOps Security Checklist (2025 Edition)

1. Identity and Access Management (IAM)

• Enforce MFA across all platforms (AWS, GitHub, DockerHub, etc.)

• Use least privilege IAM roles for CI/CD pipelines

• Rotate access keys and secrets regularly

• Disable long-lived credentials—use short-lived, ephemeral tokens

• Implement SSO wherever possible for unified control

2. GitHub / Git Repositories

• Require code review and PR approvals (no direct commits to main)

• Enable branch protection rules

• Limit GitHub Actions secret access (avoid pull_request_target with secrets)

• Set up dependency scanning (e.g., Dependabot or Renovate)

• Turn on secret scanning (GitHub Advanced Security, TruffleHog, etc.)

• Use CODEOWNERS to control high-risk files (e.g., Helm charts, Terraform)

3. Secrets Management

• Use a dedicated Secrets Manager (AWS Secrets Manager, HashiCorp Vault, Doppler)

• Never store secrets in code or environment files

• Automatically rotate secrets on compromise

• Scan commits for exposed secrets (pre-commit hooks, CI checks)

• Encrypt secrets at rest and in transit

4. Infrastructure as Code (IaC)

• Use tools like tfsec, Checkov, or kics to scan Terraform/Kubernetes configs

• Store Terraform state securely (encrypted S3 with versioning & locking via DynamoDB)

• Separate prod and non-prod environments

• Use GitOps practices to track changes in infra

• Perform plan and apply steps in CI/CD, not manually

5. CI/CD Pipeline Security

• Use dedicated, hardened runners (e.g., self-hosted GitHub runners or GitLab runners)

• Run CI/CD jobs with minimal privileges

• Avoid exposing secrets to untrusted code or forks

• Add manual approval gates for production deploys

• Log and monitor all CI/CD pipeline activity

6. Container & Kubernetes Security

• Use minimal base images (e.g., distroless, alpine)

• Scan images with Trivy, Grype, or Snyk before deploying

• Use read-only root filesystems and drop unnecessary Linux capabilities

• Enable PodSecurityPolicies or OPA/Gatekeeper/Kyverno

• Set resource limits (CPU, memory) for all containers

• Enforce RBAC and namespace isolation in Kubernetes

• Rotate Kubernetes secrets regularly

7. Cloud Platform (AWS/Azure/GCP)

• Enable CloudTrail / audit logs

• Use Security Hub, GuardDuty, or Azure Defender

• Apply least privilege IAM policies

• Tag and monitor public resources (e.g., S3 buckets, Load Balancers)

• Encrypt data in transit and at rest (S3, EBS, RDS)

• Regularly scan with CloudSploit, ScoutSuite, or Prowler

8. Monitoring & Incident Response

• Centralize logs (e.g., CloudWatch, ELK, Datadog, Loki/Grafana)

• Enable alerts on suspicious activity (e.g., new IAM users, unusual deploys)

• Create a runbook for incident response

• Test disaster recovery and backup plans

• Run tabletop exercises or security game days

9. Dependency & Supply Chain Security

• Pin dependencies to specific versions

• Use Software Bill of Materials (SBOM) tools (e.g., Syft)

• Enable 2FA for all package managers (NPM, PyPI, DockerHub, etc.)

• Verify artifacts with checksums/signatures

• Block compromised or unverified packages with tools like Provenance (SLSA) or Sigstore

10. Culture & Education

• Provide secure coding training to all engineers

• Create a “paved road” for secure defaults in your org

• Celebrate good security behavior—don’t just blame breaches

• Make it easy to do the secure thing (templates, automation, documentation)

Final Thoughts

DevOps security isn’t just about tools—it’s about habits, patterns, and culture. This checklist isn’t about perfection; it’s about consistent progress. Review it quarterly, adapt it to your stack, and share it with your team.

Security is a process, not a product.

Feel free to copy, share, fork, or contribute your own additions. Stay safe out there.