DevSecOps integrates security practices into the DevOps workflow, shifting security left and making it an integral part of the entire software delivery pipeline. This proactive integration ensures security measures are applied at every stage, from code development to testing, deployment, and operations. DevSecOps monitoring continuously assesses application and infrastructure security through data collection, analysis, and interpretation, enabling timely vulnerability identification, threat detection, and incident response.

DevSecOps loop

Throughout this tutorial, I will be taking you through DevSecOps monitoring while leveraging Civo's capabilities for enhanced application security.


To get started with this tutorial on understanding and implementing DevSecOps monitoring using Civo, here are the prerequisites you should have:

Implementing DevSecOps workflow

Implementing Security Scanning

Civo integrates seamlessly with popular security scanning tools like Trivy and Clair, which are open-source vulnerability scanners designed specifically for container images. These tools analyze container images and their associated packages, libraries, and dependencies to identify known vulnerabilities based on publicly available vulnerability databases.

For this section, we will use Trivy, a scanning tool on our continuous integration/deployment pipeline, to generate reports from scanned results and to automate the process by triggering vulnerability scans on every build.

Automated Vulnerability Scanning in the CI/CD Pipeline

To install and configure Trivy on your CI/CD pipeline server or workstation, the first step is to pull the Trivy Docker image. To do this, open a terminal or command prompt and run the following command:

docker pull aquasec/trivy 

Incorporate vulnerability scanning as a step in your CI/CD pipeline, typically before deploying the container image to production. To create a Trivy scan script, create a shell script file and add the following code to it:


docker run --rm -v $REPORT_PATH:/root/.cache/ aquasec/trivy:latest --quiet --format json -o /root/.cache/trivy.json $IMAGE_NAME

Run the following command to make the script executable:

chmod +x

Depending on your CI/CD tool, you will need to configure the pipeline to execute the Trivy scan script. Below is an example using GitLab CI/CD:

a. Open your .gitlab-ci.yml file or create one if it doesn't exist.

b. Add the following code to your pipeline configuration, replacing YOURIMAGENAME with the actual name of the image you want to scan:

  - security

  stage: security
    name: docker:stable
    entrypoint: [""]
    - ./ YOUR_IMAGE_NAME /path/to/save/report
      - /path/to/save/report/trivy.json

Customize the path where you want to save the Trivy scan report by modifying /path/to/save/report.

Save the .gitlab-ci.yml file, commit, and push it to your Git repository.

Recap: Configure Trivy with the steps above to scan container images and generate reports on vulnerabilities found. Set thresholds or policies to determine the severity level of vulnerabilities and define the actions to be taken based on the severity, such as failing the pipeline or triggering alerts.

Commit and push your changes to your git repository. This in turn triggers vulnerability scans on every build or at regular intervals, ensuring that all container images and dependencies are scanned consistently.

Log Monitoring and Analysis

Civo’s Kubernetes environment provides log management capabilities that aids installation of tools that enables you to collect, store, and analyze logs from your applications and infrastructure. These capabilities allow you to gain insights into the behavior and performance of your systems as well as detect security-related events. Civo's log management capabilities encompass the collection, storage, analysis, and visualization of logs from your applications and infrastructure.

We will now see how to set up our log monitoring tool, Fluentd, to collect logs and use Kibana, a web-based visualization tool, to explore and analyze log data stored in Elasticsearch from Civo’s Kubernetes cluster

Setting up Log Monitoring Tools for Real-time Log Analysis

The EFK stack consists of Elasticsearch, Fluentd, and Kibana, which are commonly used for log monitoring and analysis in Kubernetes environments.

Step 1: Install Elasticsearch on your Civo Kubernetes cluster by applying the necessary YAML manifests or using Helm.

On your Civo Kubernetes cluster, make sure you have the required permissions to deploy Helm charts and manage resources within the cluster. This may involve having cluster-admin access or the appropriate RBAC roles assigned to your user account. If you are using the Civo Kubernetes cluster you created at the start of the tutorial, you will have all required permissions through the generated KUBECONFIG file.

Here's an example using Helm:

# Add the Helm repository for Elasticsearch
helm repo add elastic

# Install Elasticsearch
helm install elasticsearch elastic/elasticsearch

Step 2: Install Fluentd, a log collector, and forwarder, to gather logs from containers and send them to Elasticsearch for indexing. Here's an example:

# Install Fluentd using Helm
helm install fluentd-bit elasticsearch/fluentd-bit

Step 3: Configure Fluentd to collect logs from your applications and forward them to Elasticsearch. You can create a Fluentd configuration file (fluentd-configmap.yaml) and customize it based on your specific requirements.

apiVersion: v1
kind: ConfigMap
  name: fluentd-config
  namespace: default
  fluent.conf: |
      @type forward
      port 24224
    <match **>
      @type elasticsearch
      host elasticsearch.default.svc.cluster.local
      port 9200
      logstash_format true
      logstash_prefix fluentd

In your deployment or pod definition, mount the ConfigMap as a volume and reference the Fluentd configuration file:

apiVersion: apps/v1
kind: Deployment
  name: my-app
  replicas: 1
        - name: fluentd-config-volume
            name: fluentd-config
        - name: my-app-container
          image: my-app-image
            - name: fluentd-config-volume
              mountPath: /fluentd/etc/fluentd.conf
              subPath: fluentd.conf
          # Other container configuration you might have

Step 4: Apply the configuration to your cluster using the following command:

kubectl apply -f fluentd-configmap.yaml

Step 5: Install Kibana, a web-based visualization tool, to explore and analyze log data stored in Elasticsearch.

# Install Kibana using Helm
helm install kibana elastic/kibana

Step 6: Once the Kibana installation and deployment is ready, you need to expose it externally to access the Kibana dashboard. Create a Kubernetes service to expose Kibana using the following command:

kubectl expose deployment kibana --type=LoadBalancer --port=5601 --target-port=5601

Note the external IP address assigned to the Kibana service. It may take a few moments for the external IP to be provisioned.

Step 7: Finally, you can access Kibana Dashboard by opening a web browser and navigating to http://:5601 and replacing external-ip with the external IP address of the Kibana service.

Configure Kibana Index Patterns

In the Kibana dashboard, navigate to the "Management" section and create an index pattern for your logs. This pattern should match the index name that Fluentd uses to store logs in Elasticsearch. Index patterns in Kibana allow it to understand and organize the logs that Fluentd sends to Elasticsearch. We're going to help you set that up in your Kibana dashboard:

Open the Kibana dashboard: You'll see a lot of options on the left side of the screen. These are various tools and settings you can use. Don't worry, you don't have to know them all just yet.

Look for the "Management" option: It should be somewhere in the list on the left. Click on it to open up the Management section.

Find "Index Patterns": Inside the Management section, you'll see an option called "Index Patterns". Click on that. This is where you'll define how Kibana should organize your logs.

Start creating an index pattern: You'll see a button that says "Create index pattern". Click that to start setting up your index pattern.

Now, it's time to define the index pattern. Let's go through this step by step:

Step 1: Specify the pattern that matches the index name used by Fluentd to store logs in Elasticsearch. For example, using the pattern "logs-*" can match indices like "logs-2023.06.24".

Step 2: Select the time field that represents the timestamp of your logs. This enables time-based analysis. The default option, "@timestamp," is typically a safe choice if you're unsure.

Step 3: Click "Next step" to proceed, review the summary, and ensure the pattern and field are correct.

Step 4: Click "Create index pattern" to create the pattern. Kibana will confirm its successful creation and may display a preview of the initial log entries from the matching indices.

Now, you can use this pattern to search through your logs. Go to the "Discover" section in the Kibana dashboard to start exploring your log data. You can explore and analyze logs in real-time using the Kibana dashboard by creating visualizations, performing searches, and setting up alerts based on your log data.

To enhance security monitoring, you can configure alerts and notifications based on specific log patterns or security-related events. This ensures that you receive timely notifications for potential security incidents. Here's a general approach:

Step 1: Define Log Patterns

Identify the log patterns or events that indicate potential security incidents, such as authentication failures or unauthorized access attempts.

Step 2: Configure Fluentd

Modify the Fluentd configuration in your fluentd-config.yaml file to include filters and match rules for the desired log patterns. Add the code below in the fluent.conf block in-between source and match:

<filter app.log>
  @type grep
    key severity
    pattern "INFO"

Step 3: Configure Alerting Services

Integrate Fluentd with alerting services or messaging platforms to receive notifications when security-related log events occur. You can use services like Slack, PagerDuty, or custom webhook integrations.

To use Slack, you need to create an incoming webhook which gives you a unique URL to which you send a JSON payload with the message text and some options. Here's how to use Slack:

<match alert.log>
  @type slack
  channel #alerts
  username Fluentd

Your fluentd-config.yaml file looks similar to:


apiVersion: v1
kind: ConfigMap
  name: fluentd-config
  namespace: default
  fluent.conf: |
      @type forward
      port 24224
    <filter app.log>
      @type grep
        key severity
        pattern "INFO"
    <match alert.log>
      @type slack
      channel #alerts
      username Fluentd

Step 4: Restart Fluentd

Apply the configuration changes and restart the Fluentd deployment for the changes to take effect.

kubectl apply -f fluentd-configmap.yaml

By following these steps and configuring Fluentd, you can collect logs from containers, forward them to Elasticsearch for indexing, and use Kibana to visualize and analyze the log data in real-time. Additionally, configuring alerts and notifications based on specific log patterns or security-related events ensures timely notifications for potential security incidents.

Runtime Monitoring and Intrusion Detection

Deploying Container Security Tools in the Kubernetes Cluster

To enhance the security of your Kubernetes cluster on Civo, you can install and configure container security tools like Falco. These tools provide runtime monitoring and intrusion detection capabilities, allowing you to detect unauthorized access, privilege escalation, or suspicious activities within containers.

Falco, an open-source container runtime security tool, is available on Civo kubernetes marketplace for installation.

You can also install Falco in your Kubernetes cluster, using Helm:

# Add the Helm repository for Falco
helm repo add falcosecurity

# Install Falco
helm install falco falcosecurity/falco

Once you run the Helm installation command, Helm will create the required pods, services, and other resources to run Falco in your Kubernetes cluster.

By following these steps, you can install Falco in your Kubernetes cluster, enabling runtime monitoring and intrusion detection capabilities. Falco can help you identify potential security threats and protect your containers effectively.

Configuring Policies and Rules for Runtime Security

To effectively monitor and detect security events within your containers, it is important to define policies and rules within Falco. These policies and rules allow you to specify behaviors or activities to watch for and promptly respond to potential security threats. You can customize these rules to align with your specific security requirements and the threat landscape you face.

To customize the Falco rules on Civo, you need to connect to your Kubernetes cluster, then edit the falco.yaml file.

Configure kubectl with the appropriate cluster credentials inorder to interact with your Kubernetes cluster. You can do this using the Civo CLI as follows:

civo kubernetes config YOUR_CLUSTER_NAME –save

Replace YOURCLUSTERNAME with the name of your Kubernetes cluster.

Locate the falco.yaml file. By default, it is typically found in the /etc/falco/ directory:

cd /etc/falco/

Edit the falco.yaml file using a text editor of your choice:

sudo nano falco.yaml 

Look for the section in the falco.yaml file where rules are defined. It is usually under the rules: section. Add or modify rules within the falco.yaml file based on your requirements. For example, to add a rule that detects shell spawning inside a container, you can use the following YAML snippet as an example:

- rule: Shell spawned in container
  desc: Detect shell spawning inside a container
  condition: shell_spawn
  output: "Shell spawned in a container ( command=%proc.cmdline)"
  priority: WARNING

This rule will generate a warning message when a shell is spawned inside any container.

Save the changes to the falco.yaml file and exit the text editor. Restart the Falco service for the changes to take effect.

By customizing the rules in the falco.yaml file, you can tailor the security monitoring to your specific needs and gain better visibility into potential security incidents within your containers. Make sure to review the Falco documentation for more details on rule syntax and customization options

Integrating with Civo's Monitoring Services

To enhance your container-level security, it is beneficial to integrate tools such as Falco with Civo's monitoring services. By doing so, you can achieve centralized visibility into runtime security events and leverage these monitoring services for analysis, visualization, and setting up alerts.

One way to integrate Falco with Civo's monitoring services is by utilizing Prometheus and Grafana. You can configure Falco to export metrics to Prometheus by modifying the falco.yaml file and adding:

    enabled: true
    keep_alive: false
    program: "/usr/bin/falco-exporter"

This configuration enables the Falco program output and specifies the /usr/bin/falco-exporter program as the exporter for metrics.

Save the changes to the falco.yaml file and exit the text editor. Restart the Falco service for the changes to take effect.

Falco is typically deployed as a kubernetes deployment, so you can restart it by deleting the Falco Pods. Kubernetes will automatically recreate the Pods.

First, list the running Pods to identify the Falco Pods:

kubectl get pods -n falco

Look for Pods with names related to Falco, such as falco-, falco-sidekick-, etc.

Next, delete the Falco Pods (and any other associated Pods):

kubectl delete pods -n falco --selector app=falco

Kubernetes will restart the Falco Pods, effectively restarting the Falco service.

You can check the status of the restarted Falco Pods to ensure they are running properly:

kubectl get pods -n falco

Incident Response and Remediation

To prepare for security-related events that do occur, it is important to establish well-defined incident response processes and escalation paths to ensure efficient handling of security incidents. This involves:

  • Clearly defining roles and responsibilities for incident response team members.
  • Documenting incident response procedures, including steps to identify, contain, mitigate, and recover from security incidents.
  • Establishing communication channels for incident reporting and coordination, ensuring that team members can quickly and effectively respond to incidents.

Leverage Civo's infrastructure and tooling to automate incident response actions, allowing for quicker and more efficient remediation. Examples of using Civo's tools include:

Scaling Down Compromised Services: Use the Civo CLI or API to programmatically scale down compromised services to minimize their impact and isolate affected containers from the network.

civo kubernetes scale deployment my-deployment --replicas=0

Isolating Affected Containers: Utilize Civo's network management capabilities to isolate affected containers from the rest of the infrastructure, preventing further spread of a security incident.

civo instance firewall add my-instance --deny-from=affected-container-ip

Triggering Automated Security Responses: Implement automated security responses, such as blocking IP addresses, disabling user accounts, or resetting credentials, using Civo's infrastructure and tooling. This can be achieved through custom scripts or integration with security orchestration tools.

Integrating with Security Incident and Event Management (SIEM) Solutions: Integrate with SIEM solutions to centralize security event management, perform advanced analysis, and streamline incident response processes. This involves:

Correlating Security Events from Various Sources: Configure integrations between your SIEM solution and container security tools, log management systems, and other security systems to gather security event data from multiple sources.

Performing Advanced Analysis: Leverage the capabilities of the SIEM solution to analyze and correlate security events, detect patterns, and identify potential threats or indicators of compromise.

Streamlining Incident Response Processes: Utilize the SIEM solution's incident management features to automate workflows, assign tasks, and track the progress of incident response activities. This helps ensure a coordinated and efficient response to security incidents.

By defining incident response processes and utilizing Civo's infrastructure and tooling for automated incident response, you can enhance the efficiency and effectiveness of your incident response efforts. Integrating with SIEM solutions allows for centralized security event management and advanced analysis, enabling better incident detection, response, and remediation.

Best Practices for DevSecOps Monitoring

Implementing Secure Coding Practices and Regular Security Testing: Prioritizing security throughout the development lifecycle is crucial. Here are some best practices to follow:

Practices Description
Secure Coding Guidelines Adhere to secure coding practices such as input validation, output encoding, and proper authentication and authorization mechanisms.
Static Code Analysis Use static code analysis tools to identify potential vulnerabilities and code quality issues early in development.
Dynamic Application Security Testing Conduct regular dynamic testing to simulate real-world attacks and identify vulnerabilities in the deployed application.
Dependency Scanning Perform regular scans to detect and update dependencies with known vulnerabilities.
Penetration Testing Engage in periodic penetration testing to assess the security posture of your applications and infrastructure.

Collaboration Between Development, Security, and Operations Teams: Building a strong culture of collaboration among development, security, and operations teams is essential for effective DevSecOps practices. Foster a shared responsibility for security by:

Practices Description
Cross-Functional Teams Encourage cross-functional teams with representatives from each discipline to work together throughout the development process.
Security Champions Designate individuals within each team as security champions who advocate for security practices and facilitate team communication.
Security Training and Awareness Provide regular security training and awareness sessions to educate all team members on security best practices and emerging threats.
Continuous Feedback Loop Establish a continuous feedback loop between teams to share knowledge, address security concerns, and improve overall security posture.

Monitoring and Analytics Capabilities for Continuous Improvement: Civo's monitoring and analytics capabilities are crucial for enhancing your DevSecOps practices. Here's how:

Practices Description
Real-time Monitoring Leverage Civo's monitoring tools to gain visibility into the performance, availability, and security of your applications and infrastructure.
Log Management and Analysis Utilize Civo's log management capabilities to collect and analyze logs, enabling timely detection and response to security incidents.
Data Visualization and Reporting Use Civo's analytics features to generate reports and visualizations that provide insights into your DevSecOps practices, identifying areas for improvement.
Continuous Improvement Cycle Incorporate Civo's monitoring and analytics capabilities into your continuous improvement cycle, allowing you to identify vulnerabilities, track progress, and refine your security measures.


Organizations that embrace DevSecOps practices and leverage Civo's infrastructure, monitoring tools, and integrations can enhance their application security, minimize vulnerabilities, and foster a proactive security posture. By prioritizing security throughout the development lifecycle and adopting effective monitoring practices, organizations can build and deploy applications with confidence, safeguarding their critical data and protecting their reputation in an increasingly challenging cybersecurity landscape.

To keep learning more about this topic, check out the following resources: