Automated Policy Enforcement in DevSecOps: OPA, Kyverno, and Tekton Chains for Supply Chain Integrity

Sandhya Guduru

Abstract: As software development increasingly relies on fast, iterative delivery through CI/CD pipelines, ensuring robust security across the pipeline has become a critical challenge. The rise of DevSecOps promotes embedding security earlier in the development lifecycle. Still, traditional approaches often fall short in handling the complexity of cloud-native environments and securing the software supply chain. This paper explores the intersection of DevSecOps practices and Policy-as-Code tooling within Kubernetes-native pipelines to address key issues such as insecure configurations, weak policy enforcement, and limited build transparency. It highlights the role of tools like Open Policy Agent (OPA), Gatekeeper, Kyverno, Tekton Pipelines, and in-toto in automating compliance, enforcing policies, and validating build integrity. By identifying core problem areas including misconfigurations, dependency risks, and lack of verifiable artifact metadata?the paper proposes a framework for improving CI/CD security posture. The proposed approach aims to strengthen trust, ensure artifact provenance, and enable scalable, secure software delivery in cloud-native environments.

Keywords: Open Policy Agent (OPA), DevSecOps, Kyverno, Tekton Pipelines, in-toto, software supply chain security, artifact verification, admission control, Gatekeeper