Home Certification & Exams Advanced Exam Content & GitLab CI/CD Templates: A Complete Guide for DevSecOps Certifications

Advanced Exam Content & GitLab CI/CD Templates: A Complete Guide for DevSecOps Certifications

Last updated on Jan 21, 2026

Advanced Exam Content & GitLab CI/CD Templates: A Complete Guide for DevSecOps Certifications

Preparing for a DevSecOps certification? Whether you’re tackling the GitLab Certified DevSecOps Professional (CDP) or the GitLab Certified DevSecOps Engineer (CDE), understanding the exam expectations and the best‑practice CI/CD patterns is essential. This article breaks down the core “DevSecOps Gospel” principles, walks you through the basic GitLab pipeline template, clarifies the scope of each certification, and offers practical tips to help you succeed.

1. The DevSecOps Gospel – Guiding Principles for Secure Pipelines

The “DevSecOps Gospel” is a concise set of guidelines that keep security scanning fast, reliable, and collaborative. Treat them as a checklist you can embed directly into your pipelines (or even as code comments) to demonstrate compliance during the exam.

1.1. Collaboration First

  • Maintain cordial relationships with Development, QA, and Operations teams.

  • Encourage shared ownership of security findings rather than “blame‑the‑tool” mentalities.

1.2. Build‑Failure Policy

  • Only fail builds when you have reached maturity level 3 or 4 (i.e., you have a mature remediation process).

  • Early‑stage projects can surface warnings without breaking the CI flow.

1.3. Performance Constraints

  • Never run a scan that exceeds 10 minutes in a single job.

  • Split heavy tools into separate jobs or use incremental scans to stay within the limit.

1.4. Job Isolation & Incremental Roll‑out

  • Create a dedicated job for each tool/scan (e.g., SAST, DAST, secret detection).

  • Roll out tools iteratively—introduce a new scanner in a low‑risk branch first, even if critical issues appear.

1.5. Tool Selection Criteria

  • API/CLI availability is mandatory; tools without programmable interfaces are a red flag.

  • Prefer per‑use licensing models (pay‑as‑you‑go) to keep costs predictable.

  • Verify that the vendor supports incremental or baseline scans to reduce runtime.

1.6. Custom Rules & Tuning

  • Create custom rule sets for SAST/DAST to tailor detection to your codebase.

  • Remember: a scanner is only as useful as the rules you configure.

1.7. Everything as Code (EaC)

  • Store pipeline definitions, security policies, and scan configurations in version‑controlled code.

  • This provides auditability, measurability, and repeatability—key exam criteria.

1.8. False‑Positive Management as Code

  • Encode false‑positive handling (e.g., allowlist files) directly in the repository.

  • This keeps the scope of scans deterministic and prevents “noise” from polluting reports.

1.9. Knowledge Sharing

  • Link tool documentation (wiki URLs) in pipeline comments.

  • This creates a living knowledge base for teammates and exam reviewers.

Practical Example – A simple SAST job that respects the Gospel:

sast_scan:
  stage: test
  script:
    - echo "Running SAST with custom rules..."
    - ./run-sast --rules ./sast-rules.yml --baseline $CI_COMMIT_SHA
  timeout: 10m
  artifacts:
    reports:
      sast: gl-sast-report.json
  when: on_success
  tags:
    - security
  # 📚 Docs: https://mycompany.gitlab.io/security/sast

2. Basic GitLab CI/CD Template

GitLab provides a set of official CI/CD templates that you can include in any project. The most common starting point for DevSecOps is the Security template, which bundles SAST, DAST, Dependency Scanning, Container Scanning, and Secret Detection.

2.1. Minimal Template Structure

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/DAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml

stages:
  - build
  - test
  - security
  - deploy

  • include pulls the pre‑defined jobs from GitLab’s shared library.

  • stages ensure security jobs run after unit tests but before deployment.

You can further customize each job (timeout, rules, variables) to align with the Gospel principles described above.

Reference: Full list of templates – https://docs.gitlab.com/ee/development/cicd/templates.html

3. CDP vs. CDE – What the Exams Actually Test

Aspect GitLab Certified DevSecOps Professional (CDP) GitLab Certified DevSecOps Engineer (CDE)
Focus Core implementation of DevSecOps pipelines, basic scanning, and reporting. Advanced configuration, custom rule creation, integration of third‑party tools, and deep security orchestration.
Tool Configuration Use out‑of‑the‑box templates; minimal tuning. Build custom rule sets, incremental scans, and false‑positive handling as code.
Maturity Expectations Demonstrate understanding of the DevSecOps Gospel and basic pipeline hygiene. Show expertise in scaling pipelines, optimizing performance, and extending GitLab’s security features.
Typical Tasks Add SAST/DAST jobs, interpret reports, remediate findings. Write custom SAST rules, script baseline scans, integrate API‑driven security tools.

Bottom line: The CDP exam validates that you can set up a secure CI/CD workflow. The CDE exam expects you to extend and fine‑tune that workflow for large‑scale, enterprise environments.

4. Common Questions & Pro Tips

Q1: Can I fail a build for a low‑severity issue?

A: Not in early maturity levels. Reserve build failures for critical or high severity findings once you have a mature remediation process (level 3‑4).

Q2: What if a scanner needs 12 minutes?

A: Split it into two jobs (e.g., scan_part1 and scan_part2) or enable incremental scanning to reduce runtime.

Q3: Do I need to write custom rules for every scanner?

A: Not mandatory for CDP, but highly recommended for CDE. Even a single custom rule demonstrates “Everything as Code”.

Q4: How do I prove I followed the Gospel in the exam?

A: Include pipeline comments with links to tool wikis, and commit your allowlist/baseline files alongside the .gitlab-ci.yml. The exam reviewers can see the evidence directly in the repository.

Q5: Does the CDP exam include advanced configuration of tools?

A: CDP will cover the basics of implementing DevSecOps, while CDE delves into more advanced topics such as creating custom rules and related subjects that are mainly for experts.

Pro Tip – Template‑Driven Audits

Create a gospel.yml file that lists all Gospel checks (e.g., max timeout, API availability). Use a small script in the pipeline to lint this file and fail the job if any rule is violated. This demonstrates automated compliance—a strong signal for both exams.

gospel_audit:
  stage: test
  script:
    - ./scripts/gospel_lint.sh gospel.yml
  allow_failure: false

5. Wrapping Up

Mastering the DevSecOps Gospel and the basic GitLab CI/CD template puts you on solid footing for the CDP exam. To graduate to the CDE, dive deeper: craft custom rule sets, automate false‑positive handling, and treat every security artifact as code. By embedding these practices into your pipelines, you’ll not only pass the certifications but also build truly secure, maintainable software delivery processes.

Good luck, and happy scanning!