Security as Code
What is Security as Code?
Security as CodeThe practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
Security as Code (SaC) generalizes the policy-as-code idea to all security artifacts: detection rules, IaC hardening, IAM permissions, secrets configuration, threat models, and CI/CD security gates are stored as code in Git and shipped through the same pipelines as application changes. Typical building blocks include Terraform modules with secure defaults, Rego/Sentinel policy bundles, CodeQL or Semgrep rules, Falco/Sigma detections, and Kubernetes manifests with built-in security context. The approach gives security teams version history, peer review, automated tests, drift detection, and reproducible rollouts, replacing ticket-driven manual hardening with continuous, auditable security delivery integrated with DevSecOps.
● Examples
- 01
Terraform module shipping an EKS cluster with private endpoints and audit logs by default.
- 02
Semgrep ruleset versioned in a security-rules repo and required to pass before merge.
● Frequently asked questions
What is Security as Code?
The practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications. It belongs to the Cloud Security category of cybersecurity.
What does Security as Code mean?
The practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
How does Security as Code work?
Security as Code (SaC) generalizes the policy-as-code idea to all security artifacts: detection rules, IaC hardening, IAM permissions, secrets configuration, threat models, and CI/CD security gates are stored as code in Git and shipped through the same pipelines as application changes. Typical building blocks include Terraform modules with secure defaults, Rego/Sentinel policy bundles, CodeQL or Semgrep rules, Falco/Sigma detections, and Kubernetes manifests with built-in security context. The approach gives security teams version history, peer review, automated tests, drift detection, and reproducible rollouts, replacing ticket-driven manual hardening with continuous, auditable security delivery integrated with DevSecOps.
How do you defend against Security as Code?
Defences for Security as Code typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Security as Code?
Common alternative names include: SaC, DevSecOps as code.
● Related terms
- cloud-security№ 839
Policy as Code
The practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
- cloud-security№ 756
OPA (Open Policy Agent)
A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
- cloud-security№ 1014
Service Mesh Security
The set of identity, encryption, and authorization controls a service mesh provides to secure service-to-service traffic in a cloud-native environment.
- network-security№ 1262
Zero Trust Network
A network architecture that never trusts users, devices, or services by default and enforces continuous, identity-aware verification of every connection.