What DevSecOps stack is recommended in 2026?

Standard stack: Semgrep (SAST), Snyk Open Source (SCA), Trivy (image scan), gitleaks (secrets), Checkov (IaC), Sigstore cosign (signing), Drata/Vanta/Secureframe (GRC). CI/CD integration with blocking quality gates on critical findings.

What are the mandatory CI/CD quality gates?

Four blocking gates: no secret in clear text (gitleaks), no critical CVE in direct dependency (Snyk), no high SAST vulnerability without dérogation (Semgrep), no container image with critical CVE (Trivy). Rest in warning mode.

How to set up a CRA-compliant SBOM?

Automatic generation in CI/CD with Syft (containers), cdxgen (source), Maven plugin CycloneDX (Java), @cyclonedx/cyclonedx-npm (Node). Format SPDX or CycloneDX. Signed with cosign. Stored in registry. Maintained throughout the product's support duration.

Sigstore vs traditional PGP — which to choose?

Sigstore (cosign + Fulcio + Rekor) has become the de facto standard in 2026: no persistent key management (keyless OIDC signing), immutable transparency log (Rekor), native CI/CD integration. PGP remains relevant for long-lived artifacts with established trust chains. For modern containers and CI/CD builds: Sigstore.

DevSecOps in 2026 · Operational guide for European SaaS

TL;DR — the essentials

DevSecOps = automated security at every commit/build/release, without blocking the roadmap.
Stack 2026: Semgrep (SAST), Snyk Open Source (SCA), Trivy (image scan), gitleaks (secrets), Checkov (IaC), Sigstore (signing).
Mandatory quality gates: no secret in clear, no critical CVE in direct dependency, no high SAST vulnerability without exception, no container image with critical CVE.
Target metrics: <3% PR blocked, MTTR critical vulnerability <7 days, 100% secrets stored in vault.
Articulation with CRA: CRA requires SBOM, secure CI/CD, automated patching capability.

The 2026 typical stack

Static Application Security Testing (SAST)

Semgrep (Returntocorp) has become the SAST of reference in 2026 for modern SaaS: high-performance, multi-language, customizable rules in YAML. More accessible than CodeQL, more performant than Snyk Code on specific patterns.

Alternatives: SonarQube (mature, broad coverage), Snyk Code (advanced SAST, AI-augmented), CodeQL (GitHub, deep analysis).

Software Composition Analysis (SCA)

Snyk Open Source or Dependabot (GitHub native) for direct dependencies. Renovate for granular control of updates.

Critical: prioritize CVEs by exploitability (EPSS score) and not just by CVSS. Most CVEs are not exploited; focus on the 10% that are.

Container image scanning

Trivy (Aqua Security) or Grype (Anchore) for OCI image scanning. Integrated in CI/CD, blocking on critical CVEs without dérogation.

Best practice: distroless or minimal base images, signed by Sigstore cosign at build, verified at deployment.

Secret detection

gitleaks in pre-commit hook + scan history regularly. truffleHog for finer detection (entropy-based).

If a secret has been committed: rotate immediately, audit access, document the incident. Don't just delete the commit — Git history is keeping it.

Infrastructure as Code (IaC) scanning

Checkov (Bridgecrew/Palo Alto) or TFSec for Terraform, CloudFormation, Kubernetes manifests. Catches misconfigurations before deployment.

SBOM — Software Bill of Materials

An SBOM lists all components of your application: name, version, supplier, license, hash, transitive dependencies. Two standards: SPDX (ISO/IEC 5962:2021) and CycloneDX (OWASP).

The Cyber Resilience Act (CRA) makes the SBOM mandatory for "important" and "critical" products from December 11, 2027. SBOM must be: automatic, up-to-date at every build, machine-readable, traceable, signed.

Tools: Syft (Anchore) for container images, cdxgen for source code, Maven plugin CycloneDX for Java, @cyclonedx/cyclonedx-npm for Node.

Supply chain — signing and provenance

Sigstore is the CNCF project for cryptographic signing of software artifacts (containers, binaries, SBOM) without persistent key management. Components: cosign (CLI), Fulcio (CA), Rekor (transparency log).

Adopted by Kubernetes, PyPI, npm, Linux Foundation. Aligned with SLSA Level 2+ and CRA requirements. Setup: 1-2 days for full integration.