Safeguard
DevSecOps

The four-phase roadmap for adopting DevSecOps

Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.

Safeguard Research Team
Research
7 min read

Most organizations that say they're "doing DevSecOps" have really just bought a scanner and bolted it onto a CI job. That gap between buying tools and changing outcomes is measurable: Google Cloud's 2024 Accelerate State of DevOps (DORA) Report, based on responses from roughly 39,000 technology professionals, found that AI-tool adoption correlated with worse software delivery performance for the second consecutive year running, with larger batch sizes cited as a contributing driver of risk — more automation, deployed without the surrounding process changes, made things worse, not better. The pattern isn't new. Log4Shell (CVE-2021-44228), the remote-code-execution flaw in Apache Log4j, was privately reported to Apache by Chen Zhaojun of Alibaba Cloud's security team on November 24, 2021, and the CVE was published on December 10, 2021 with a maximum CVSS score of 10.0. The organizations that struggled for weeks after disclosure weren't the ones without a scanner — they were the ones without an SBOM, without a fast patch pipeline, and without a defined owner for "who ships the fix." A tool answers "did we find it." A roadmap answers "what happens next," four times over. This piece lays out the four phases — tool integration, policy gates, developer workflow, and culture — in the order that actually works.

What does phase one, tool integration, actually require?

Phase one requires connecting your existing scanning categories — SAST, DAST, software composition analysis (SCA), secrets detection, container, and infrastructure-as-code (IaC) scanning — into your pipeline and, critically, into one shared findings model rather than six separate dashboards. This is foundational, not optional, because every later phase depends on having a single, queryable source of truth for what's vulnerable. Safeguard's own application security testing rollout illustrates the shape of this correctly: SAST traces untrusted input from a source (a request parameter, a CLI argument) to a dangerous sink (a SQL query, a command execution) with a full dataflow trace, while DAST tests running applications with safe, non-destructive requests against verified, scope-limited targets only. The two share one findings model with correlation keys, so a DAST-confirmed runtime issue and the SAST-identified source-code sink that caused it link together into a single, prioritized finding instead of two disconnected tickets. Without that unification, phase one just produces more noise, faster.

Why does phase two need policy-as-code gates, not just alerts?

Phase two needs enforced gates because a finding nobody is required to act on is indistinguishable from no finding at all. This is the difference between "we scan for it" and "we block on it." Policy-as-code frameworks — the general model described in NIST's Secure Software Development Framework (SSDF) and echoed across the OWASP DevSecOps Maturity Model — express rules like "block any critical SCA finding with a known exploit" as versioned, machine-enforced logic rather than a wiki page someone reads once. Safeguard's guardrails-and-enforcement system is a concrete example of this pattern: YAML-defined policy gates apply BLOCK, WARN, or AUTO_FIX effects against CI/CD, registries, admission, and runtime, evaluated against SBOM, CVE, license, and signing rules. That's a distinct mechanism, worth naming precisely, from request-time policies that govern live tool calls — Safeguard's Guard policies separately evaluate allow / deny / monitor actions against MCP requests in priority order, with a documented fallback that flags unmatched traffic for monitoring rather than silently letting it through. Whichever gate model you adopt, the design principle is identical: an unmatched or unreviewed case should default to visibility, not silence.

How does phase three change where security work actually happens?

Phase three moves the review moment from a security team's backlog to the pull request the developer already has open, because a finding surfaced two sprints after the code shipped gets a different (worse) response than one surfaced before merge. This is the literal meaning of "shift left," and it depends on findings arriving with enough context that a developer doesn't need a security specialist to act on them — a file, a line, a severity, and ideally a suggested fix. Safeguard's PR Guard is a working example of this phase: it analyzes a pull request's diff and returns severity-ranked comments (critical through info), each tied to a specific file and line, categorized by type (security, bug, reliability, performance, and others), with an optional suggested fix attached — and it can post those comments directly onto the GitHub pull request itself, so reviewers see them inline rather than needing a separate visit to a security console. The mechanism matters less than the principle: security feedback has to compete for developer attention on the developer's own turf, at the moment the diff is still open, or it competes for nothing at all.

Why is culture the hardest phase, and why can't you skip to it?

Culture is the hardest phase because it's the only one that can't be purchased, deployed, or configured — it has to be demonstrated by which findings get fixed, which get waived, and who's accountable for the difference. The commonly cited mechanisms across analyst and OWASP maturity-model material — security champions embedded in engineering teams, shared dashboards showing security and delivery metrics side by side, and blameless retrospectives on incidents — only work once phases one through three have already produced trustworthy, low-noise, contextualized findings. A security-champion program layered onto a scanner that fires hundreds of unreachable false positives just trains champions to ignore their own tool. This is also why culture can't be phase one: asking engineers to "own security" before the tooling can tell them which of 400 open findings are the six that matter is a recipe for the DORA report's exact failure mode — more activity, worse outcomes.

What's the realistic order and pace for rolling this out?

The realistic order is sequential, not simultaneous, because each phase's output is the next phase's input: an unreliable scanner produces bad gate data, bad gate data produces noisy pull-request comments, and noisy pull-request comments burn out the champions you're trying to recruit. Log4Shell is again instructive on pacing — organizations with an existing, queryable software bill of materials (SBOM) could answer "are we affected, and where" within hours of the December 2021 disclosure, while organizations without one spent days grepping repositories by hand before they even reached the patching step. That gap wasn't a culture problem or a developer-workflow problem; it was a phase-one gap that no amount of later-stage process could compensate for on short notice. Budget real time for each phase rather than treating a single procurement cycle as "our DevSecOps rollout" — the DORA data suggests that skipping straight to more automation and more AI-assisted output, without the gating and workflow phases underneath it, is the specific pattern strongly associated with the past two years of declining delivery performance.

How Safeguard fits across the roadmap

Safeguard maps to each of the first three phases with genuine, shipping capability rather than a single point tool. Tool integration is served by first-party SAST and DAST, unified with existing SCA, secrets, container, and IaC scanning under one findings model with correlation keys. Policy gates are served by two distinct, purpose-built systems — YAML guardrails with BLOCK / WARN / AUTO_FIX effects for CI/CD, registries, admission, and runtime, and separately, Guard policies with allow / deny / monitor actions for live MCP tool-call traffic — so you enforce the right kind of policy at the right layer instead of forcing one model to cover both. Developer workflow is served by PR Guard, posting severity-ranked, line-anchored review comments with suggested fixes directly onto the pull request. Culture change is the one phase no vendor can automate for you — but it's also the phase that becomes achievable once the first three stop generating noise and start generating trustworthy signal.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.