Wire security guardrails into the pipeline, not the standup.
DevSecOps Engineers own the security plumbing of the SDLC: signed builds, dependency hygiene, secret scanning, IaC policy-as-code, container hardening, and runtime guardrails. Done well, security is a pipeline check, not a meeting.
Tools in scope
Cloud-native scale-up
Live pipeline review — find the supply-chain hole and propose a fix in OPA / cosign.
Regulated enterprise
More change-management questions and how to roll out policy-as-code without breaking teams.
// Sample question
How would you enforce that production container images can only run if signed by your build pipeline?
Sign every release image with cosign (keyless via OIDC), generate provenance attestations to SLSA Level 3, push them to the registry alongside the image, and enforce verification at admission time with a policy controller (Kyverno or Gatekeeper) that checks the cosign signature and the SLSA predicate before scheduling the pod.
AI-graded, role-specific, feedback on every answer. Free to start.