Azure DevSecFinOps: Automating Governance at Scale
How we embedded Policy-as-Code and Infracost financial guardrails into GitHub Actions CI/CD pipelines for Azure landing zones.
βFinOps isnβt just reviewing an Azure invoice at the end of the month. Itβs blocking a pull request before an engineer accidentally provisions a $10,000/month VM size.β
At Kyndryl, as Associate Director, I led the deployment of automated DevSecFinOps Guardrails into GitHub Actions CI/CD pipelines.
Shifting Security and Cost Left
- SecOps Gate (Checkov): Scans Terraform code for unencrypted storage accounts or permissive NSG rules (
0.0.0.0/0). - FinOps Gate (Infracost): Parses
terraform planoutput, calculating exact monthly cost impacts directly on pull requests.
# # GitHub Action FinOps Execution Gate
- name: Run Infracost Analysis
uses: infracost/actions/setup@v2
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
- name: Post Cost Comment to PR
run: |
infracost breakdown --path=. --format=json --out-file=infracost.json
infracost comment github --path=infracost.json --repo=$GITHUB_REPOSITORY --github-token=${{ secrets.GITHUB_TOKEN }}
[!IMPORTANT] If a developer PR increases monthly cloud cost by more than $1,000 without prior FinOps tag approval, the build pipeline fails automatically.
The Verdict
Key Takeaway
Automate Cost and Security Enforcement Before Merge.
Shift security and cost checks directly into your CI/CD pipelines. Using tools like Checkov and Infracost prevents technical debt and budget overruns before code reaches production.
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.