DevSecOps Policy Vocabulary — Pipeline Gates and Shift-Left Security
Practice the vocabulary used when designing and discussing DevSecOps policy enforcement in CI/CD pipelines: shift-left security, the difference between blocking and advisory gates, how to describe what a pipeline policy does, and how to communicate enforcement decisions to developers.
Vocabulary Reference
- shift-left security
- The practice of moving security checks earlier in the development lifecycle — into the IDE, pre-commit hooks, and CI pipeline — so developers find and fix security issues before they reach production.
- "enforced in CI"
- Phrase indicating that a policy check runs in the CI pipeline and blocks the pull request or build if violated: "Image signing is enforced in CI — unsigned images cannot be promoted."
- blocking security gate
- A pipeline stage that fails the build and prevents promotion if a policy is violated. The developer cannot bypass it without an approved exception.
- advisory only gate
- A pipeline stage that reports policy violations but does not fail the build — used during rollout, for low-severity findings, or when the team needs time to remediate.
- pipeline policy
- A machine-readable rule that is evaluated at a specific stage of the CI/CD pipeline — e.g., a conftest check on the Terraform plan, a container image scan threshold, or a SAST severity gate.
- policy-as-code in CI/CD
- The practice of encoding security and compliance rules as code evaluated automatically at defined pipeline stages — removing manual approval bottlenecks while maintaining consistent enforcement.