DevOps Security: Pipeline Armor

DevSecOps embeds GitLab CI with Bandit—e.g., os.popen() flagged in Python 3.8. Terraform pins VPC egress—aws_network_acl_rule { protocol = "-1"; action = "deny" }. Falco catches execve("/bin/sh") in k8s pods. Vault rotates AES-256 keys via HSM (vault write transit/rotate). CycloneDX SBOMs audit deps—e.g., openssl-1.1.1k. Consult audits .yml; paid ops deploy KubeSec, enforcing PodSecurityPolicies—costly control.