Hey,

New article on the blog: Hands-On: A Production CI/CD Pipeline with Security Scanning.

Most pipelines do build → test → deploy. That's fine until a container image with a critical CVE reaches production. Or a JWT secret ends up hardcoded in a commit. Unit tests don't catch that.

In this article I build a complete Azure DevOps pipeline with five stages: build, SAST, container scanning with Trivy, rolling deploy to AKS, and a smoke test that verifies the deployment is healthy. All designed with ATLAS + GOTCHA — first the checklist, then the prompt, then the YAML.

Three things the AI got wrong (and how the GOTCHA heuristics made the fix obvious):

• Image tags that weren't traceable to a git commit

• A Trivy action that only works in GitHub Actions, not Azure DevOps

• Deploy conditions that would accidentally trigger on PR branches

The full pipeline YAML is in the article, ready to copy and adapt.

Read it here →

Until next time, Victor