AI-Augmented DevSecOps Pipelines: Enabling Continuous Security Integration in Large-Scale Software System
DOI:
https://doi.org/10.63282/3117-5481/AIJCST-V1I5P101Keywords:
DevSecOps, Continuous Security, SBOM, SAST/DAST, Software Supply Chain, Policy-As-Code, Reinforcement Learning, LLM-Assisted Triage, Risk Scoring, Zero-Trust, IAC Security, Progressive DeliveryAbstract
This paper proposes an AI-augmented DevSecOps pipeline that embeds continuous security controls across the software lifecycle plan, code, build, test, release, deploy, and operate for large-scale, polyglot systems. The architecture fuses traditional SAST/DAST, software composition analysis, IaC/K8s policy checks, and SBOM provenance (e.g., SLSA/attestations) with learning components that prioritize, adapt, and automate. A risk-scoring engine combines CVSS, exploit likelihood, business criticality, and runtime blast radius to drive queue-aware remediation. LLM-assisted triage with policy guardrails summarizes findings, deduplicates noise, and generates secure code patches as candidate pull requests, while active learning continuously refines rules from developer feedback. For runtime, behavior models detect drift and supply-chain anomalies (e.g., dependency confusion, poisoned images) and trigger progressive delivery actions canaries, feature flag isolation, and policy-as-code rollbacks. A reinforcement-learning scheduler optimizes scan depth, frequency, and environment selection to minimize MTTR and build latency under resource constraints. The pipeline integrates with enterprise controls (zero-trust identity, secrets management, artifact signing) and publishes compliance evidence (audit trails, control KPIs) automatically. We validate the approach on multi-service benchmarks and production-like workloads, demonstrating reduced false positives, faster mean time to remediation, and lower p95 build overhead versus static baselines. The results indicate that coupling predictive analytics and autonomous orchestration with human-in-the-loop review enables continuous, scalable security without sacrificing delivery velocity
References
[1] Shahin, M., Babar, M. A., & Zhu, L. “Continuous Integration, Delivery and Deployment: A Systematic Review on Approaches, Tools, Challenges and Practices.” Journal of Systems and Software, 123, 2017, 263-291.
[2] Ullah, F., Raft, A. J., Shahin, M., Zahedi, M., & Babar, M. A. “Security Support in Continuous Deployment Pipeline.” Journal of Systems and Software, 131, 2017, 12-27.
[3] Taschner, C. “Security in Continuous Integration.” Software Engineering Institute Blog (SEI), 2014.
[4] Yankel, J. “Will Continuous Integration Improve the Security of My Application?” Software Engineering Institute Blog (SEI), 2016.
[5] Ge, X., & Upadhyaya, S. J. “Towards Dependable Data-Driven Systems: Fault Tolerance, Reliability, and Security Challenges.” IEEE Transactions on Services Computing, 8(3), 2015, 374-386.
[6] Kim, D., & Kim, J. “Automated Vulnerability Detection Using Machine Learning.” Proceedings of the IEEE International Conference on Software Security and Reliability (SERE), 2016, 39-48.
[7] Mylara Reddy, C., & Niranjan, N. “Fault-Tolerant Software Systems Using Software Configurations for Cloud Computing.” Journal of Cloud Computing, 7(3), 2018.
[8] Varga, P., & Pohl, K. “Continuous Security in DevOps: Challenges and Opportunities.” Proceedings of the 2016 IEEE International Conference on Cloud Engineering (IC2E), 2016, 193-200.
[9] Reddy, G. K., & Kumar, S. R. “Integrating Security into Continuous Delivery: DevSecOps Approach for Agile Environments.” International Journal of Advanced Computer Science and Applications (IJACSA), 9(10), 2018, 200-208.
[10] Soni, P., & Kumar, R. “A Review on Secure DevOps Model for Cloud Application Development.” International Journal of Computer Applications (IJCA), 179(20), 2018, 18-23.
[11] Schneider, J., & Johnston, L. “Automating Software Assurance: Machine Learning for Vulnerability Analysis.” IEEE Software, 33(4), 2016, 82-89.
[12] Syed, A. R., & Naik, K. “Empirical Study of Security Practices in DevOps Pipeline.” Journal of Information Security and Applications, 40, 2018, 111-122.
[13] Ali, S., & Khan, M. “An Overview of DevOps and Machine Learning for Secure and Reliable Software Deployment.” International Journal of Computer Science and Network Security (IJCSNS), 18(7), 2018, 125-132.
[14] Geffroy, J.-C., & Motet, G. “Design of Dependable Computing Systems.” Springer-Verlag, 2002.
