
Becoming an Oracle Cloud Infrastructure Certified DevOps Professional Part 2 – DevSecOps with OCI
DevSecOps is the backbone of modern software delivery. Whether you are a fast-moving digital startup or a large enterprise modernizing legacy systems, having an automated, secure CI/CD pipeline is what separates high-performing teams from those always stuck firefighting. Most teams stitch together DevSecOps pipelines using a mix of open-source tools, third-party platforms, and scripts.
OCI gives you a clean, enterprise-grade stack for DevSecOps that is ready out of the box. We are talking source control, automated builds and deployments, secret management, container orchestration, real-time monitoring, and everything is tightly integrated, deeply secure, and easy to use.
So, the second part of this blog series is about OCI’s developer services. If you missed the first part about Oracle Kubernetes Engine (OKE), click here.
Why Enterprises and Digital Natives Should Look at OCI
Let’s break it down:
-
Enterprises get the compliance, SLAs, and governance they need with a cloud-native platform that integrates with existing Oracle workloads and mission-critical systems.
-
Digital natives and startups get a modern, developer-first experience without juggling 15 different tools. OCI’s pay-as-you-go model and generous free tier also help teams stay lean while scaling.
And it is built for hybrid and multicloud from the start. OCI works whether you are running greenfield Kubernetes apps or still managing monoliths.
How to Build a Complete DevSecOps Pipeline on OCI
As part of the journey of becoming a certified OCI DevOps Professional, you need to understand how you can build a complete and secure pipeline using Oracle Cloud Infrastructure’s native services. Think of this as your blueprint for DevSecOps: secure, scalable and automated from code to production. The following diagram illustrates this reference architecture:
Plan, Collaborate & Set Up Infrastructure
Private Git repositories hosted by the DevOps service. You can store, manage, develop source code with OCI DevOps Code Repositories and create your own private code repositories or connect to external code repositories such as GitHub, GitLab, Bitbucket Cloud, Visual Builder Studio, Bitbucket Server, and GitLab Server. It is perfect for managing application code, Terraform configurations, and CI/CD definitions all in one place.
OCI Resource Manager (Terraform as a Service)
Automate infrastructure provisioning and lifecycle using Oracle’s managed Terraform service:
- Write declarative infra-as-code
- Apply it across multiple compartments with consistent governance
- Integrates with Vault, IAM, and tagging for full automation
- This lets you define environments (dev/stage/prod) as code, and roll them out safely and repeatably.
The following image represents a generalized view of the Resource Manager workflow:
Every DevSecOps pipeline needs a central place for secrets and encryption keys. Vaults are logical entities where the Key Management Service creates and durably stores vault keys and secrets.
- Store passwords, API tokens, certs, and encryption keys securely
- Integrated with KMS (Key Management Service) for encryption at rest and in transit
- Integrates encryption with other OCI services such as storage, database, and Fusion Applications for protecting data stored in these services
- Automate access via IAM policies and code
Develop, Build, and Test Code
A build pipeline takes a commit ID from your source code repositories and uses that source code to run your build instructions. Build pipelines define a set of stages for the build process – building, testing and compiling software artifacts, delivering artifacts to OCI repositories, and optionally triggering a deployment.. You define the flow and instructions of your build run in the build spec file. Define build pipelines using YAML or the console:
- Automate Java, Python, Node.js, Docker, and Go builds
- Customize steps for unit tests, code quality scans (e.g., SonarQube)
- Connect directly to OCI repos or GitHub
The Application Dependency Management (ADM) service provides you with an integrated vulnerability knowledge base that you can use from the Oracle Cloud Infrastructure (OCI) DevOps build pipelines to detect vulnerabilities in the packages used for the build.
A browser-based Linux shell.
Git, Docker, Terraform, kubectl, Helm, and more
Ideal for quick testing, debugging, or managing your pipeline without installing tools locally.
OCI Application Performance Monitoring (APM)
Do not wait until production to spot performance issues:
- Distributed tracing across microservices
- Real User Monitoring (RUM)
- Availability Monitoring
- Server Monitoring
Shift-Left Security from the Start
OCI Vault (again, because security is never just one step)
Use Vault throughout your pipeline to securely inject secrets into build/deploy steps.
Cloud Guard examines your Oracle Cloud Infrastructure resources for security weaknesses related to configuration, and your operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.
- Monitors for risky configurations (open ports, unused keys, misconfigured buckets)
- Uses rules and detectors to flag and respond to threats
- Integrates with other OCI services for automated remediation
Perfect for enforcing security baselines as part of your CI/CD process.
Apply guardrails with security policies baked into the compartments:
- Blocks risky actions (e.g., public DBs)
- Ensures workloads meet compliance and governance standards automatically
Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, Block Volume and Database resources, comply with your security policies.
Deploy Automatically (and Confidently)
OCI DevOps Deployment Pipelines
A sequence of steps for delivering and deploying a set of artifacts to a target environment. The flow and logic of your software release can be controlled by defining stages that can run in serial or parallel. The delivery side of CI/CD:
- Create multi-stage pipelines with approval gates, rollbacks, and parallel deployments
- Deploy to OKE, Functions, Compute, or custom targets
- Track deployment history and success/failure per environment
Works seamlessly with build pipelines for full Git-to-production automation.
Event-driven, serverless compute built on Fn Project:
- Write functions in Java, Python, Node.js, Go
- Scale automatically based on events or triggers
- Deploy from build artifacts or container images
Great for microservices, APIs, scheduled jobs, or glue logic in your pipeline.
Oracle Kubernetes Engine (OKE)
The reference architecture deploys the OKE cluster as one of the target environments. The worker nodes are deployed on Oracle Linux OS. This architecture uses three worker nodes in the cluster, but you can create up to 5’000 nodes on each cluster. Managed Kubernetes, Oracle-style:
- CNCF-compliant, fully managed clusters
- Integrated with IAM, Container Registry, Load Balancers, and Logging
- Auto-scaling, node pools, and lifecycle management
Perfect for teams building containerized applications or adopting GitOps practices.
This architecture deploys registry as a private Docker registry for internal use. Docker images are pushed to and pulled from the registry. You can also use registry as a public Docker registry, enabling any user with internet access and knowledge of the appropriate URL to pull images from public repositories in OCI.
- Push/pull images securely
- Scan images with third-party security tools
- Deploy directly into OKE or Functions
Acts as the bridge between build and deploy stages in your pipeline.
Observability – Monitor, Operate, and Optimize
OCI Logging service stores logs related to the deployment. The deployment runtime output and the final results of the deployment are shown as log entries. OCI Notifications service provides visibility into the latest state of the deployment project and its resources and takes any necessary action. For example, you’re notified when an important event, such as a stage in a deploy pipeline waiting for approval. When you receive the notification message, you can go to DevOps deployment pipelines and approve the stage. Centralized logging across all OCI services and custom apps:
- Collect, search, and filter logs in real time
- Create custom queries and alerts
- Export logs to Object Storage or third-party SIEMs
Feeds directly into security tools and helps debug issues post-deployment.
Metric collection and alerting at every level:
- Out-of-the-box metrics for compute, load balancers, databases, Kubernetes, and more
- Custom metrics via SDKs
- Alarms with notifications (e-mail, Slack, etc.)
Oracle Cloud Infrastructure Events enables you to create automation based on the state changes of resources throughout your tenancy. Use Events to allow your development teams to automatically respond when a resource changes its state.
Here are some examples of how you might use Events:
- Send a notification to a DevOps team when a database backup completes.
- Convert files of one format to another when files are uploaded to an Object Storage bucket.
Final Thoughts
Oracle Cloud Infrastructure might not always be the flashiest name in DevOps circles, but when it comes to building a secure, scalable, all-in-one DevSecOps pipeline, it delivers.
Whether you are modernizing a legacy stack or building cloud-native microservices, OCI gives you the tools to:
-
Automate everything
-
Bake in security and governance
-
Monitor, understand, and optimize
You just need the right foundation, and OCI makes it possible.