Skip to content

Identity Security – Unleashed for the AI Era. Join the Episode Series.

DevSec For Scale Podcast – Securing Your CI/CD Pipeline w/ Zan Markan, CircleCI

In this episode of the “DevSec for Scale” podcast, host Jeremy Hess welcomes Zan Markan, Senior Developer Advocate at CircleCI. Zan provides a deep dive into best practices for CI/CD pipeline security, particularly for early-stage companies. He underscores the importance of automating pipelines from the outset, enabling smaller teams to compete effectively with larger organizations by deploying features quickly and securely. Zan emphasizes that automation helps ensure code quality, runs various tests, and performs static code analysis and vulnerability scanning.

Zan explains that secrets management is a crucial aspect of pipeline security, warning against storing secrets in repositories. He suggests using tools like Snyk or SonarQube for dependency vulnerability scanning, highlighting their ability to detect issues in complex dependency chains. These tools help flag known vulnerabilities in packages, urging developers to update or downgrade as necessary. He also mentions the importance of static code analysis and dynamic application security testing to identify potential security flaws before they become critical.

Configuration management is another vital area Zan addresses, noting that failing to pin dependency versions can lead to non-deterministic behavior in pipelines. This can cause unexpected breaks due to version changes in dependencies. He also stresses the danger of secrets slipping into repositories, whether they are API keys or webhooks, and the necessity of proper documentation to prevent knowledge loss if key team members leave.

Zan also touches on security policy enforcement in pipelines, recommending manual approval jobs for critical stages like production deployment. He advocates for role-based access control and IP range restrictions to ensure that only authorized changes are deployed. Additionally, he mentions hybrid job execution as an option for companies needing to run jobs within their infrastructure while maintaining centralized orchestration.

Finally, Zan offers practical tips for developers in smaller organizations. He advises integrating dependency and container scanning into automated pipelines, which provides early assurance of code security without significantly disrupting development workflows. These automated scans help catch vulnerabilities early, allowing developers to focus on building and shipping features with confidence.

Overall, Zan’s insights emphasize the importance of proactive, automated security practices in CI/CD pipelines, particularly for early-stage companies striving to maintain competitive and secure development processes.

Subscribe to Newsletter
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_EasiestAdmin_Enterprise_EaseOfAdmin
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Nps

© 2025 AKEYLESS. All rights reserved