Posted on
Artificial Intelligence

Artificial Intelligence DevSecOps Guide

Author
  • User
    linuxbash
    Posts by this author
    Posts by this author

The AI DevSecOps Guide for Bash-Native Builders: Ship Faster, Safer, and Smarter

Security debt grows every time we add new code, containers, or dependencies. Meanwhile, expectations for speed keep rising. The result? Teams feel forced to choose between shipping quickly and shipping safely.

You don’t have to choose.

This guide shows how to bring Artificial Intelligence principles and automation into a Bash-first DevSecOps workflow on Linux. You’ll learn practical steps to catch issues early, scan containers and dependencies, prevent secrets from leaking, and sign what you ship—using simple CLI commands you can drop into CI and local scripts today.

What you’ll get:

  • A clear blueprint for AI-augmented DevSecOps on Linux

  • 3–5 actionable steps with real Bash commands

  • Installation instructions for apt, dnf, and zypper where relevant

  • Minimal vendor lock-in: favoring open tools, containers, and standard formats like SARIF and CycloneDX


Why AI + DevSecOps (on the CLI) is worth your time

  • Shift-left without slowing down: Automated scans can run locally, in pre-commit hooks, and in CI. AI can help summarize and prioritize findings so humans focus on what matters.

  • Objective, repeatable checks: Policy-as-code and scanners produce consistent results across developers and environments.

  • Supply chain resilience: Signing and verifying artifacts reduces the blast radius of compromised registries or mirrors.

  • Fits your existing Bash/CI workflow: Use Podman/Docker containers for tools, stream outputs to JSON/SARIF, and parse with jq.


Prerequisites (Linux)

Install common CLI utilities you’ll use across steps:

  • apt (Ubuntu/Debian):

    sudo apt update
    sudo apt install -y git curl jq podman
    
  • dnf (Fedora/RHEL/CentOS Stream):

    sudo dnf install -y git curl jq podman
    
  • zypper (openSUSE):

    sudo zypper refresh
    sudo zypper install -y git curl jq podman
    

Note: We’ll run most security tools via containers (Podman), so you avoid per-host package drift.


1) AI-augmented code scanning: catch risky patterns early

Use static analysis to flag common vulnerabilities and insecure patterns in code. Then, optionally use an LLM (local or cloud) to summarize results for quicker triage.

  • Run Semgrep in a container (no host install needed):

    podman run --rm -v "$PWD:/src" -w /src returntocorp/semgrep:latest \
    semgrep --config p/ci --error --json -o semgrep.json
    
  • Summarize findings with a local LLM (optional, uses ollama if you have it):

    jq -r '.results[] | "\(.check_id): \(.path):\(.start.line) \(.extra.message)"' semgrep.json \
    | tee semgrep.lines
    
    # Optional: summarize with a local model (requires `ollama` installed separately)
    # cat semgrep.lines | ollama run mistral "Summarize and prioritize these code scan findings."
    

Why it matters:

  • Developers see actionable findings immediately in CI.

  • JSON output makes it easy to gate PRs or convert to SARIF for code-host UIs.

  • AI summarization reduces triage time when there are many findings.

Real-world tip:

  • Start with --config p/ci (Semgrep’s curated ruleset) and refine by adding allowlists in a .semgrep.yaml as your codebase matures.

2) Scan dependencies, containers, and IaC with Trivy

Trivy scans file systems, images, SBOMs, and configuration for vulnerabilities and misconfigurations.

Install Trivy:

  • apt:

    sudo apt-get update
    sudo apt-get install -y wget apt-transport-https gnupg lsb-release
    wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
    echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
    sudo apt update
    sudo apt install -y trivy
    
  • dnf:

    sudo dnf install -y dnf-plugins-core
    sudo dnf config-manager --add-repo https://aquasecurity.github.io/trivy-repo/rpm/releases/aquasecurity-trivy.repo
    sudo dnf install -y trivy
    
  • zypper:

    sudo zypper addrepo https://aquasecurity.github.io/trivy-repo/rpm/releases/aquasecurity-trivy.repo
    sudo zypper refresh
    sudo zypper install -y trivy
    

Common scans:

  • Scan your working directory (source + IaC + secrets):

    trivy fs --scanners vuln,config,secret --exit-code 1 --severity HIGH,CRITICAL .
    
  • Scan a container image:

    trivy image --exit-code 1 --severity HIGH,CRITICAL alpine:3.20
    
  • Generate SBOM (CycloneDX) for your repo:

    trivy fs --format cyclonedx --output sbom.cdx.json .
    
  • Emit SARIF (for GitHub/GitLab code scanning UIs):

    trivy fs --format sarif --output trivy.sarif.json .
    

Why it matters:

  • One tool covers OS packages, application dependencies, secrets, and misconfigurations.

  • SBOMs enable downstream consumers (and future you) to understand what shipped.

Real-world tip:

  • Store sbom.cdx.json as a build artifact. When new CVEs drop, you can rescan the SBOM without rebuilding code.

3) Stop secret sprawl with Gitleaks

Leaked credentials are among the fastest paths to compromise. Scan locally and in CI.

Run Gitleaks via container:

podman run --rm -v "$PWD:/repo" -w /repo zricethezav/gitleaks:latest \
  detect --redact --report-format json --report-path gitleaks.json

Pre-commit style local check:

# Quick pre-commit check for staged files
git diff --cached --name-only | grep -v '^$' | xargs -r \
  podman run --rm -i -v "$PWD:/repo" -w /repo zricethezav/gitleaks:latest \
  detect --no-git --stdin --redact

Why it matters:

  • Early detection prevents credentials from ever reaching the remote.

  • Redaction reduces noise while preserving context for triage.

Real-world tip:

  • Maintain a .gitleaks.toml to tune false positives (e.g., test fixtures) and enforce it in CI with --exit-code 1.

4) Sign and verify what you ship with Cosign (Sigstore)

Signing gives consumers cryptographic assurance that artifacts (images, SBOMs) are authentic and unmodified.

Install Cosign:

  • apt (if available on your release):

    sudo apt update
    sudo apt install -y cosign || true
    

    If not available or outdated, use the official installer:

    curl -sSfL https://raw.githubusercontent.com/sigstore/cosign/main/install.sh | sudo sh -s -- -b /usr/local/bin
    
  • dnf:

    sudo dnf install -y cosign || \
    (curl -sSfL https://raw.githubusercontent.com/sigstore/cosign/main/install.sh | sudo sh -s -- -b /usr/local/bin)
    
  • zypper:

    sudo zypper install -y cosign || \
    (curl -sSfL https://raw.githubusercontent.com/sigstore/cosign/main/install.sh | sudo sh -s -- -b /usr/local/bin)
    

Basic key pair flow:

cosign generate-key-pair   # creates cosign.key / cosign.pub
# Sign an image you just built/pushed (example image)
cosign sign --key cosign.key docker.io/youruser/yourimage:1.0.0
# Verify
cosign verify --key cosign.pub docker.io/youruser/yourimage:1.0.0

Attach and sign an SBOM:

# Attach SBOM as an OCI artifact
cosign attach sbom --sbom sbom.cdx.json docker.io/youruser/yourimage:1.0.0
# Sign the SBOM
cosign sign --key cosign.key docker.io/youruser/yourimage:1.0.0:sbom

Why it matters:

  • Consumers can verify provenance before deploying.

  • Attested SBOMs and signatures enable policy gates in registries and clusters.

Real-world tip:

  • Explore keyless signing with OIDC (e.g., GitHub Actions) to remove key management overhead.

Put it together: a minimal CI-friendly Bash pipeline

Save as scripts/security_check.sh and call it from CI. Exits non-zero on critical issues.

#!/usr/bin/env bash
set -euo pipefail

fail=0

echo "[1/4] Semgrep SAST..."
if ! podman run --rm -v "$PWD:/src" -w /src returntocorp/semgrep:latest \
  semgrep --config p/ci --error --json -o semgrep.json; then
  echo "Semgrep failed"
  fail=1
fi

echo "[2/4] Gitleaks (secrets)..."
if ! podman run --rm -v "$PWD:/repo" -w /repo zricethezav/gitleaks:latest \
  detect --redact --report-format json --report-path gitleaks.json; then
  echo "Gitleaks found issues"
  fail=1
fi

echo "[3/4] Trivy FS (vuln/config/secret)..."
if ! trivy fs --scanners vuln,config,secret --severity HIGH,CRITICAL \
  --exit-code 1 --format sarif --output trivy.sarif.json .; then
  echo "Trivy found HIGH/CRITICAL issues"
  fail=1
fi

echo "[4/4] Build SBOM for provenance..."
trivy fs --format cyclonedx --output sbom.cdx.json .

exit "$fail"

In your release job (after pushing an image):

# Sign the image and attached SBOM
cosign sign --key cosign.key "$IMAGE_REF"
cosign attach sbom --sbom sbom.cdx.json "$IMAGE_REF"
cosign sign --key cosign.key "$IMAGE_REF:sbom"

# Optional: verify before deploy
cosign verify --key cosign.pub "$IMAGE_REF" > verify.txt

Responsible AI integration tips

  • Prefer local or self-hosted models for sensitive code. If you use a cloud LLM, scrub or mask secrets and proprietary data.

  • Use AI for summarization and prioritization, not as an oracle. Always verify with deterministic scanners.

  • Capture prompts and outputs as artifacts for auditability when AI informs risk decisions.


Conclusion and next steps

Security shouldn’t slow you down—and with AI-informed automation, it won’t. Start by wiring these steps into your repo:

1) Semgrep SAST via container 2) Trivy scans and SBOM export 3) Gitleaks secret checks 4) Cosign signatures for images and SBOMs

Then iterate:

  • Tune rules and baselines to reduce noise.

  • Add AI summarization for faster triage.

  • Enforce signatures and SBOMs in your deployment gates.

Call to action:

  • Drop the provided Bash script into your CI today.

  • Generate and sign an SBOM on your next release.

  • Schedule a “security hour” each sprint to triage findings and update rules.

If you want a follow-up post with a full GitHub Actions or GitLab CI pipeline, or a local-LLM triage script, say the word and I’ll share ready-to-run YAML and Bash.