Program overview
Key training modules
Why DevSecOps (3 Days)?
Related Courses
FAQs
Talk to Experts
DevOps
Online
On-site
Hybrid

DevSecOps Essentials Bootcamp

Build a strong foundation in implementing a practical DevSecOps pipeline, from secure coding to container security and Kubernetes hardening. Learn how to automate security checks across CI/CD using IaC scanning, policy enforcement, and security gates to deliver fast, compliant, and reliable releases.

Duration:
3 days
Rating:
4.8/5.0
Level:
Intermediate
Get a Quote
Download Curriculum
View Pricing
1500+ users onboarded

Who will Benefit from this Training?

  • DevOps Engineers
  • Cloud Engineers
  • SRE Teams
  • Backend and Full Stack Developers
  • Platform Engineering Teams
  • Security Engineers working with DevOps pipelines
  • Engineering Leads implementing secure delivery workflows

Training Objectives

  • Understand DevSecOps fundamentals and how it differs from traditional security models.
  • Shift security left by integrating checks into developer workflow and CI pipelines.
  • Implement secure SDLC practices including SAST, dependency scanning (SCA), and secret scanning.
  • Secure Docker images using best practices, minimal base images, and safe tagging strategies.
  • Scan container images for vulnerabilities and enforce policy thresholds in CI.
  • Apply Kubernetes security fundamentals including namespaces, RBAC basics, and securityContext hardening.
  • Use resource requests and limits to improve workload stability and reduce security risk from noisy neighbors.
  • Apply IaC security practices through Terraform scanning and remediation.
  • Understand supply chain risks and implement controls like trusted registries and SBOM awareness (conceptual).
  • Build an end-to-end GitHub Actions DevSecOps pipeline with PR gating and incident simulation.

Build a high-performing, job-ready tech team.

Personalise your team’s upskilling roadmap and design a befitting, hands-on training program with Uptut

get started

Key training modules

Comprehensive, hands-on modules designed to take you from basics to advanced concepts
Download Curriculum
  • Module 1: DevSecOps Fundamentals (Big Picture)
    1. DevSecOps definition and goals
    2. Traditional security vs DevSecOps (shift-left vs end-stage security)
    3. Shared responsibility across Dev, Sec, Ops
    4. Security as code (automated checks and policies)
    5. Hands-on: Activity: Map a delivery flow and identify where security should be added
  • Module 2: Shift-Left Security in Developer Workflow
    1. Where to integrate security checks (IDE/pre-commit, PR, CI)
    2. Branch protection and required checks strategy
    3. Fast feedback and reducing false positives
    4. PR gating and secure merge practices
    5. Hands-on: Lab: Configure GitHub branch protection rules and required checks
  • Module 3: Secure SDLC Scanning Essentials (SAST, SCA, Secret Scanning)
    1. SAST fundamentals and common findings
    2. Dependency scanning (SCA) and risk-based prioritization
    3. Secret scanning patterns and prevention
    4. Fail vs warn strategy by severity
    5. Hands-on: Lab: Add SAST + SCA + secret scanning to CI and block merge on critical issues
  • Module 4: GitHub Actions DevSecOps Pipeline Foundations
    1. GitHub Actions workflow structure (triggers, jobs, steps)
    2. Runner and permissions basics
    3. Secure secrets usage (GitHub Secrets, environments)
    4. PR workflow design for gated security checks
    5. Hands-on: Lab: Build a PR workflow that runs security checks and gates merges
  • Module 5: Findings Triage and Remediation Workflow
    1. Reading and interpreting scan reports (severity, CVE, fix availability)
    2. Triage workflow (fix, suppress, accept risk with justification)
    3. Reducing noise with baselines and allowlists
    4. Creating a remediation playbook and ownership model
    5. Hands-on: Activity: Triage sample findings and create a prioritized remediation plan
  • Module 6: Docker Image Security Best Practices
    1. Common container risks (root user, bloated images, outdated base images)
    2. Secure Dockerfile practices (multi-stage builds, non-root user)
    3. Minimal base images concepts (slim/alpine/distroless)
    4. Preventing secret leakage in images
    5. Hands-on: Lab: Refactor an insecure Dockerfile into a secure minimal Dockerfile
  • Module 7: Safe Image Tagging and Trusted Registry Practices
    1. Why using 'latest' is risky
    2. Tagging strategies (semantic versioning, git-sha tags, immutability)
    3. Trusted registries concept and access controls
    4. Image provenance awareness (concept)
    5. Hands-on: Activity: Implement tagging standards and enforce them in CI
  • Module 8: Container Image Vulnerability Scanning in CI
    1. Why scanning must be automated in pipelines
    2. Interpreting vulnerability scans (CVE, severity, fix available)
    3. Publishing scan reports as pipeline artifacts
    4. Baseline and exception handling for known risks
    5. Hands-on: Lab: Scan a built image in GitHub Actions and publish the scan report
  • Module 9: Policy Enforcement Thresholds in CI
    1. Defining policy thresholds (fail on Critical, warn on High)
    2. PR gate enforcement logic and exit codes
    3. Exception workflow (temporary allowlist with expiry)
    4. Tracking and reporting policy violations
    5. Hands-on: Lab: Fail CI when Critical/High vulnerabilities exceed threshold
  • Module 10: Supply Chain Security and SBOM Awareness (Conceptual)
    1. Software supply chain risk overview
    2. Risks (compromised dependencies, poisoned images, dependency confusion)
    3. Controls (trusted registries, least-privilege CI permissions)
    4. SBOM awareness (what it is and why it matters)
    5. Hands-on: Activity: Generate an SBOM (or review one) and document key insights
  • Module 11: Kubernetes Security Fundamentals (Namespaces and RBAC)
    1. Namespace isolation fundamentals
    2. RBAC basics (Role/ClusterRole, RoleBinding/ClusterRoleBinding)
    3. Least privilege principles in Kubernetes
    4. Common RBAC misconfigurations and impact
    5. Hands-on: Lab: Create namespace + RBAC role for a developer and validate access
  • Module 12: Kubernetes Workload Hardening with securityContext
    1. securityContext essentials (runAsNonRoot, allowPrivilegeEscalation=false)
    2. Read-only root filesystem and capability drops
    3. Pod Security Standards awareness (baseline/restricted concept)
    4. Hardening deployment YAML patterns
    5. Hands-on: Lab: Harden a deployment YAML using securityContext best practices
  • Module 13: Resource Requests and Limits for Stability and Risk Reduction
    1. Requests vs limits explained
    2. Noisy neighbor problem and availability risks
    3. Resource controls as a security control (DoS risk reduction)
    4. Practical sizing starter patterns
    5. Hands-on: Lab: Apply requests/limits to workloads and observe scheduling/stability effects
  • Module 14: IaC Security with Terraform Scanning and Remediation
    1. Common Terraform risks (open security groups, public buckets, permissive IAM)
    2. Terraform scanning concepts and how CI blocks risky merges
    3. Remediation workflow (fix module defaults, tighten policies)
    4. Adding guardrails to prevent regressions
    5. Hands-on: Lab: Scan Terraform code in CI and remediate critical misconfigurations
  • Module 15: End-to-End GitHub Actions DevSecOps Pipeline (PR Gating + Incident Simulation)
    1. Pipeline stages design (PR checks, scans, build, policy gate)
    2. PR gating rules (required checks, protected branches)
    3. Integrating SAST, SCA, secret scanning, image scanning, IaC scanning
    4. Incident simulation scenarios (secret leak, vulnerable dependency, vulnerable image)
    5. Hands-on: Capstone Lab: Build the complete GitHub Actions DevSecOps pipeline with PR gating and simulate incidents to validate blocking and reporting
View More

Hands-on Experience with Tools

No items found.
No items found.
No items found.

Training Delivery Format

Flexible, comprehensive training designed to fit your schedule and learning preferences
Opt-in Certifications
AWS, Scrum.org, DASA & more
100% Live
on-site/online training
Hands-on
Labs and capstone projects
Lifetime Access
to training material and sessions

How Does Personalised Training Work?

get started

Skill-Gap Assessment

Analysing skill gap and assessing business requirements to craft a unique program

1

Personalisation

Customising curriculum and projects to prepare your team for challenges within your industry

2

Implementation

Supplementing training with consulting support to ensure implementation in real projects

3

Why DevSecOps for your business?

  • Reduce security risk without slowing delivery: Automated checks catch issues early and prevent insecure releases.
  • Lower cost of fixing vulnerabilities: PR-phase fixes are significantly cheaper than post-release remediation.
  • Better compliance and auditability: Security controls become repeatable through Git history and pipeline logs.
  • Fewer production incidents: Secure containers, safe Kubernetes defaults, and controlled pipelines reduce outages.
  • Higher customer trust: Strong security hygiene improves reliability and contract readiness.

Lead the Digital Landscape with Cutting-Edge Tech and In-House " Techsperts "

Discover the power of digital transformation with train-to-deliver programs from Uptut's experts. Backed by 50,000+ professionals across the world's leading tech innovators.

GET STARTED

Frequently Asked Questions

1. What are the pre-requisites for this training?
Faq PlusFaq Minus

The training does not require you to have prior skills or experience. The curriculum covers basics and progresses towards advanced topics.

2. Will my team get any practical experience with this training?
Faq PlusFaq Minus

With our focus on experiential learning, we have made the training as hands-on as possible with assignments, quizzes and capstone projects, and a lab where trainees will learn by doing tasks live.

3. What is your mode of delivery - online or on-site?
Faq PlusFaq Minus

We conduct both online and on-site training sessions. You can choose any according to the convenience of your team.

4. Will trainees get certified?
Faq PlusFaq Minus

Yes, all trainees will get certificates issued by Uptut under the guidance of industry experts.

5. What do we do if we need further support after the training?
Faq PlusFaq Minus

We have an incredible team of mentors that are available for consultations in case your team needs further assistance. Our experienced team of mentors is ready to guide your team and resolve their queries to utilize the training in the best possible way. Just book a consultation to get support.

View all
By clicking on 'Accept', you allow us to give you the best experience and show you relevant content by storing cookies on your device. We do not share or sell your private data. Read our Privacy Policy for more information.
PreferencesDeny
Accept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.