Back to Home
SA
Sumit Arora

Full-Stack Architect

Brisbane, Australia
January 10, 2026
15 min readProduct Vision

DevSecOps Compass: The Missing Layer Between Developers and Operations

After 25 years building systems from startups to large enterprises, I've seen the same problem everywhere: DevSecOps teams and developers speak different languages. Here's the platform I'd build to fix it.

The Problem Nobody Talks About

In every organisation I've worked with, there's an invisible wall between developers and DevSecOps. The symptoms are familiar:

  • DevSecOps raises security issues. Developers don't understand the urgency.
  • Developers need deployment help. DevSecOps doesn't understand the code.
  • Security scans block releases. Features get delayed. Customers get frustrated.
  • Nobody knows which repositories are active, retired, or abandoned.
  • "Who owns this service?" is a 30-minute investigation.

The Real Issue: No Single Source of Truth

Most organisations have 50-500+ repositories. Each one has:

Code
GitHub, GitLab, Bitbucket
Infrastructure
AWS, Azure, GCP, K8s
Security
Snyk, SonarQube, Trivy

But this information lives in different systems. When you need to answer simple questions, you're hunting across 5+ tools:

Q:"Which services call the payments API?"
Q:"Who do I contact about the user-service?"
Q:"Is this repository still in use?"
Q:"What vulnerabilities exist in production right now?"
Q:"What's our AWS spend for this microservice?"

Each question takes 15-30 minutes to answer. Multiply by 10 questions/day across a team.

The Vision: DevSecOps Compass

A centralized platform that gives everyone — developers, DevSecOps, product managers, CTOs — a single view of the entire technology landscape.

Core Principle

One question, one place. Any question about your technology stack — who owns it, what it does, how it's deployed, what's broken — answered in under 10 seconds.

What It Tracks

Repositories
  • Active/Retired/Development status
  • README completeness
  • Last commit date
  • Branch protection rules
Ownership
  • Team assignments
  • Primary/Secondary contacts
  • On-call schedules
  • Slack channels
Dependencies
  • Service-to-service connections
  • API consumers
  • Database dependencies
  • Third-party integrations
Security
  • Vulnerability scans
  • Compliance status
  • Secret detection
  • License compliance
Infrastructure
  • Cloud resources (AWS/Azure/GCP)
  • Kubernetes deployments
  • Cost allocation
  • Resource utilization
Documentation
  • API specs (Swagger/OpenAPI)
  • Architecture diagrams
  • Runbooks
  • Change logs

Key Features

1. Service Catalog & Dependency Map

Visual representation of your entire microservices ecosystem. Click any service to see what it depends on, what depends on it, and who owns it.

user-service → auth-service → database-postgres
user-service → notification-service → aws-ses
user-service → payment-service → stripe-api

2. Repository Health Dashboard

Every repository scored on documentation, security, activity, and compliance. Identify abandoned repos, missing READMEs, and security risks at a glance.

142
Healthy
38
Warning
12
Critical
67
Retired

3. AI-Powered Issue Resolution

When a security vulnerability is detected, the platform doesn't just alert — it provides context-aware remediation guidance in developer-friendly language.

CVE-2024-1234 detected in lodash@4.17.15
Impact: Prototype pollution vulnerability allows remote code execution.
Fix: Update to lodash@4.17.21 or higher.
Command: npm update lodash

4. Cloud Cost Attribution

Link AWS/Azure/GCP resources directly to repositories and teams. Answer "how much does this service cost?" instantly.

user-service Monthly Cost: $2,847
ECS Fargate$1,240
RDS PostgreSQL$890
ElastiCache Redis$450
CloudWatch$267

5. API Catalog with Swagger Integration

Auto-discover and catalog all APIs across your organisation. Link OpenAPI specs, track versions, identify undocumented endpoints.

6. People Directory & On-Call

"Who do I contact about X?" answered in one click. Integrates with PagerDuty, OpsGenie, and Slack for real-time availability.

Who Benefits?

Developers
Save 30+ min/day
Find documentation, understand dependencies, get security fix guidance — without leaving their IDE or opening 5 different tools.
DevSecOps
Reduce friction 80%
Track vulnerabilities across all repos, prioritize by business impact, communicate fixes in language developers understand.
Product Managers
Clear visibility
See which features are blocked by security issues, understand deployment status, plan releases with real data.
Customer Success
Faster resolution
Quickly identify which service is causing customer issues, find the right team to escalate to.
CTOs / Engineering Leaders
Strategic decisions
High-level dashboards showing tech debt, security posture, cloud costs, and team ownership gaps.

The ROI Case

30%
Reduction in security fix time
2hrs
Saved per developer per week
15%
Cloud cost reduction via visibility

For a 50-developer team at $150K average cost, 2 hours/week saved = $375K/year in recovered productivity.

How It Works (Technical)

1
Data Collection
Agents sync with GitHub/GitLab, AWS/Azure/GCP, Kubernetes, security scanners via APIs
2
Normalization
Data unified into common schema: services, owners, dependencies, vulnerabilities, costs
3
Relationship Mapping
AI analyzes code imports, API calls, infrastructure configs to build dependency graph
4
Scoring Engine
Each repository scored on documentation, security, activity, compliance criteria
5
AI Layer
LLM generates remediation guidance, answers natural language queries, identifies patterns
6
Presentation
Web dashboard, IDE plugins, Slack bot, API for CI/CD integration

What It Looks Like

Below are conceptual screens showing the platform in action.View interactive prototype →

Dashboard Overview
Repository health, security alerts, cloud costs, team activity — all in one view
Service Detail
Dependencies, owners, APIs, vulnerabilities, costs for a single service
Dependency Map
Visual graph of service connections across your entire stack

Why Doesn't This Exist Already?

There are pieces of this solution in the market:

  • Backstage (Spotify) — Service catalog, but requires heavy customization
  • Port, Cortex, OpsLevel — Developer portals, but often lack security depth
  • Snyk, SonarQube — Security scanning, but siloed from ownership data
  • CloudHealth, Kubecost — Cost management, but disconnected from code

The gap is integration. Each tool solves one problem. The value is connecting them into a single, queryable system that anyone in the organisation can use without specialist knowledge.

Interested in Building This?

This is a product vision based on real problems I've seen across dozens of organisations. If you're facing these challenges and want to explore building a solution — whether as a custom internal tool or a commercial product — let's talk.

Start a Conversation