Job Title 

Senior DevSecOps Engineer – SBOM, SAST & CI/CD Security Automation (6–10 years) 

Job Description 

We are seeking a Senior DevSecOps Engineer (6–10 years of experience) to lead security automation and tooling integration across MSD projects. This role will focus on embedding security controls into the software delivery lifecycles specifically SBOM generation and quality improvement, secret scanning, and SAST integration—and automating security report generation and publishing into platforms such as Dependency-Track and DefectDojo. 

You will work closely with engineering, DevOps, and security stakeholders to ensure scalable, repeatable, and measurable security practices are implemented through CI/CD pipelines, while continuously improving technical documentation and onboarding guidance for teams adopting these capabilities. 

Key Responsibilities 

• Integrate and operationalize security tooling within MSD projects, including: 

• SBOM generation and validation 

• Secret scanning 

• SAST (Static Application Security Testing) 

• Improve the quantity (coverage) and quality of generated SBOMs by defining standards, validation gates, and measurable KPIs (e.g., completeness, dependency accuracy, license metadata, component version resolution). 

• Design and maintain CI/CD automation to generate security reports and automatically publish results to: 

• Dependency-Track (SBOM ingestion / component risk analysis) 

• DefectDojo (centralized vulnerability management / reporting) 

• Build and maintain “security as code” patterns (pipeline templates, reusable scripts, standardized configs) to enable broad adoption across multiple repositories/teams. 

• Establish secure and scalable practices for credential handling in pipelines (least privilege, secret management patterns, rotation support). 

• Create, maintain, and continuously improve documentation (runbooks, onboarding guides, troubleshooting, reference architecture) to support platform adoption. 

• Provide operational support for security tooling integrations, including triage of pipeline failures, report ingestion issues, and tooling upgrades. 

• Contribute to continuous improvement of DevSecOps strategy, governance, and compliance alignment through automation and measurable outcomes. 

Required Skills 

• 6–10 years of experience in DevOps / DevSecOps / Security Engineering / Platform Engineering roles with strong CI/CD ownership. 

• Strong hands-on experience integrating security tools into CI/CD pipelines (e.g., Jenkins, GitHub Actions, GitLab CI). 

• Practical expertise in: 

• SBOM generation and management (e.g., CycloneDX, dependency discovery, artifact association) 

• Secret scanning integrations and tuning 

• SAST integration, configuration, and triage workflows 

• Experience automating generation, transformation, and publishing of security results (APIs, JSON handling, pipelines-as-code, scripting). 

• Experience integrating with or operating vulnerability/SBOM platforms such as Dependency-Track and DefectDojo (or equivalent tools). 

• Strong scripting skills (Python, PowerShell, Bash, etc.) for automation and tooling glue. 

• Strong troubleshooting skills across build systems, SCM workflows, containers/artifacts, and security tooling outputs. 

• Ability to write clear technical documentation and drive adoption across teams. 

Desirable Skills 

• Experience improving SBOM quality metrics and implementing policy gates (completeness checks, schema validation, build provenance, license metadata enrichment). 

• Experience with container security and artifact scanning (images, binaries, registries), plus SBOM provenance linkage. 

• Knowledge of secure software supply chain practices (SLSA concepts, signing/attestation, provenance, dependency pinning). 

• Experience working in regulated or security-focused environments with strong auditability requirements. 

• Exposure to internal developer platform patterns (golden pipelines, reusable actions, templates, centralized governance). 

Top of Form 

Bottom of Form