Will security gates slow our teams down?

Not if they’re automated, fast, and specific. In this engagement, p95 time-to-merge increased by 8 minutes, deployment frequency stayed flat, and change failure rate didn’t move. The trick is picking high-signal checks (SBOM + IaC policy), providing golden templates, and making failure messages fixable without a meeting.

Why Kyverno and not Gatekeeper?

Both work. Kyverno’s policy ergonomics (patterns, verifyImages) are friendlier for platform teams and don’t require learning Rego for common cases. If your org already speaks Rego and wants centralized OPA, Gatekeeper is fine. We’ve implemented both at banks and SaaS unicorns; pick the one your team will actually maintain.

Do we need Cosign and SBOMs if we already scan images?

Yes. Scanning images after they’re built doesn’t tell you what changed or whether the artifact is trustworthy. SBOMs give you visibility into transitives (think Log4Shell), and Cosign ensures you only run what you built. Together with provenance attestations, you get real supply-chain integrity, not just best-effort scanning.

What about developers working locally?

Make the paved path the easy path. Use pre-commit hooks (`detect-secrets`, `tfsec`, `yamllint`), dev containers with default policies, and local `conftest` scripts. The same checks run locally and in CI, so PR failures are rare and predictable.

Case-studies · Oct 4, 2025 · 10 minute read

The Security Gates That Didn't Slow Us Down: How a B2B Fintech Dodged a Seven-Figure Breach

Security-first development usually reads like overhead. Here’s how making it the default saved a payments platform from a very public, very expensive incident—without killing velocity.

Back to all posts

The Security Gates That Didn't Slow Us Down: How a B2B Fintech Dodged a Seven-Figure Breach

Key takeaways

Implementation checklist