π DevSecOps β 10 Interview Questions (Real-World Focus)
β Q1 β Where do you integrate security in a CI/CD pipeline?
Security should be layered: SAST during build, dependency scanning after package install, container image scan before push, and runtime policy checks at deploy. Secrets scanning also runs on repo commits. Security must be shift-left β not post-deploy.
β Q2 β How do you scan container images in production pipelines?
I use image scanners like Trivy, Grype, or Anchore in CI stage after image build. Pipeline fails on high/critical CVEs. Results are stored as artifacts. Base images are also pinned and regularly refreshed.
β Q3 β What is SBOM and why is it becoming important?
SBOM (Software Bill of Materials) lists all dependencies inside an artifact. It helps track vulnerable libraries and supply chain risk. Many compliance frameworks now require SBOM. Tools like Syft generate it.
β Q4 β How do you manage secrets securely in Kubernetes?
Never store plain secrets in Git. Use External Secrets Operator or Sealed Secrets. Back secrets from AWS Secrets Manager / Vault. Access controlled via RBAC and IAM roles.
β Q5 β How do you prevent secrets leakage in CI logs?
Use secret masking and credentials binding. Avoid echoing env vars. Restrict debug logs in secure stages. Rotate any exposed secret immediately.
β Q6 β What is image signing and when do you use it?
Image signing verifies artifact authenticity. Tools like Cosign sign container images. Cluster admission policies can enforce only signed images run. This protects supply chain integrity.
β Q7 β Kubernetes runtime security β what controls do you apply?
Use Pod Security Standards, non-root containers, read-only FS, dropped capabilities. Add runtime detection like Falco. Restrict hostPath and privileged mode.
β Q8 β How do you enforce security policies in Kubernetes?
Use OPA Gatekeeper or Kyverno. Policies enforce rules like no latest tag, resource limits required, no privileged pods. Admission control blocks violations before deploy.
β Q9 β How do you secure Terraform usage?
Use least-privilege IAM roles for Terraform. Remote encrypted state. No hardcoded creds. Plan approval required before apply. Audit state access.
β Q10 β Biggest DevSecOps mistake teams make?
Running scanners but ignoring results. Security without enforcement is theater. Pipelines must fail or block on critical risk β otherwise itβs checkbox security.