Core Concepts · Quick recall Q&A
1 min readRapid overview
Quick recall Q&A
1. What is "Shift Left" security?
Moving security practices earlier in the SDLC:
- Security requirements during planning
- SAST during development
- Dependency scanning in CI
- Container scanning before deployment
- Automated security gates in pipeline
2. How do you handle secrets in CI/CD?
- Never commit secrets to code
- Use CI/CD secret management (GitHub Secrets, Azure Key Vault)
- OIDC authentication instead of long-lived credentials
- Rotate secrets regularly
- Least privilege access
- Audit secret access
3. Explain container security layers
- Base Image: Minimal, trusted, scanned
- Build Process: Multi-stage, no secrets in layers
- Runtime: Non-root, read-only filesystem, no capabilities
- Network: Network policies, mTLS
- Orchestration: Pod security standards, RBAC
4. What is Policy as Code?
- Define security/compliance rules as code
- Automated enforcement in CI/CD and runtime
- Version controlled, auditable
- Tools: OPA, Kyverno, Checkov
- Examples: Require resource limits, block privileged containers