Why secure pipelines matter for fintech
- Customers and regulators expect controls you can explain, not heroics the week before an audit.
- When security lives in a separate tool chain, ownership blurs and fixes arrive too late to be cheap.
- GitLab’s model is simple: make the merge request the contract for what ships, with scans and policy results visible to the same reviewers who merge.
Security belongs inside the merge request, not at the door
Core points
- Late-stage gates create a false sense of safety: teams pass a checkpoint, then change behaviour until the next audit.
- Findings are cheapest when authors still remember why the code changed, and hardest when another squad inherits a release branch.
- Policy as code in the pipeline makes “allowed to merge” a shared, inspectable decision instead of a hallway conversation.
Skunk tip
- Treat failing security jobs like failing unit tests: fix or waive with a named owner, never silent ignore.
- Keep scan configuration in version control next to the application so history matches what auditors review.
Static and dynamic analysis as default quality gates
Core points
- SAST catches classes of defects humans miss at scale; DAST validates what actually runs when traffic and auth behave like production.
- Running them only on main means you are measuring how fast you can rework, not how fast you can learn.
- Tune rules for signal over noise: a noisy gate trains teams to click through, which is worse than no gate.
Dependency and container scanning before promotion
Core points
- Most modern breaches exploit known vulnerabilities in dependencies or base images, not novel zero-days in your feature code.
- Scanning registries and lockfiles in CI gives product teams a ranked backlog instead of a surprise pen-test appendix.
- Promotion rules should reference digest or provenance so “what ran in test” is what ships.
Skunk tip
- Block merges on critical CVEs with a fix path; time-box exceptions with expiry dates in your tracker.
Compliance evidence that travels with the commit
Core points
- Auditors care about traceability: who approved a change, which controls ran, and what artefacts prove it.
- Exportable pipeline results and merge metadata beat screenshots because they scale with release frequency.
- When evidence is automatic, security stops being the team that says “no” and becomes the team that proves “yes, with controls”.
Culture: shared metrics, not blame dashboards
Core points
- Security metrics that only appear in an executive pack invite gaming; metrics next to lead time and change failure rate invite partnership.
- Celebrate mean time to remediate, not just count of findings, so teams optimise learning speed.
- Rotate reviewers across squads so security literacy spreads without centralising every decision.
If security only shows up when something breaks, you are not doing DevSecOps, you are doing damage control.
