Shift Left Without the Pain: Turning Security into a DevOps Habit with Open Source

Security is often treated as a separate phase in software delivery, making it difficult to integrate into fast-moving DevOps workflows.

This talk demonstrates how security can be embedded directly into the development lifecycle using open-source tools, without slowing down delivery.

We will use Trivy to scan container images and repositories for vulnerabilities and misconfigurations in a real-world setup.

A live demo will walk through building a simple CI/CD pipeline (GitHub Actions) that:

• scans application images

• fails builds on HIGH/CRITICAL vulnerabilities

• provides actionable feedback to fix issues

The session will also cover practical challenges such as false positives, developer friction, and how to balance security with speed.

The talk is aimed at developers, DevOps engineers, and students who want to adopt DevSecOps practices using accessible open-source tools.

Attendees will leave with a reproducible approach to integrating security into their pipelines using only open-source solutions.

Understand how to integrate vulnerability scanning into CI/CD pipelines

Learn how to enforce security gates using open-source tools

Gain a reproducible setup for DevSecOps using Trivy