Hiring: DevSecOps Engineer (CI/CD & OpenShift) at San Francisco, CA (Onsite)

Role: DevSecOps Engineer (CI/CD & OpenShift)

Location: San Francisco, CA (Onsite)

Employment Type: Contract

Role Summary

We are seeking a DevSecOps Engineer to lead the architecture, implementation, and optimization of our CI/CD platforms and OpenShift (OCP)-based container application delivery. You will set strategy and standards for secure software supply chains, automate everything from build to production, and partner with product, security, and SRE teams to deliver reliable, compliant, and high-velocity releases at scale.

You'll be the technical authority for pipeline design, GitOps, OCP cluster/platform engineering, and DevSecOps controls, enabling teams to ship faster with built in security and observability.

Key Responsibilities

Platform Architecture & Ownership

• Own the end-to-end CI/CD architecture (e.g., GitHub Actions / Azure DevOps / Jenkins / GitLab CI) and OpenShift (OCP) platform setup across multiple environments (Dev Prod).
• Design and implement GitOps workflows (e.g., Argo CD/Flux) for declarative, auditable, and automated environment management.
• Define multi-tenant OCP standards: projects/namespaces, RBAC, network policies, resource quotas/limits, SCCs/PSa, and cluster add-ons (ingress, service mesh, operators).

Security by Design (DevSecOps)

• Embed SAST/DAST/SCA/Secrets scanning into pipelines; enforce policy gates with tools like SonarQube, OWASP ZAP, Trivy/Grype, Anchore, Snyk, or Aqua.
• Establish and automate SBOM, image signing (cosign/Notary), provenance/attestations (SLSA), and supply chain risk controls.
• Harden OCP clusters and pipelines (image policies, admission controllers, network policies, security contexts, TLS, secrets mgmt) per CIS, NIST, and organizational standards.

Build & Release Engineering

• Standardize pipeline templates (reusable, parameterized) for microservices and data/ML workloads; optimize build caching, parallelization, and artifact/versioning strategies.
• Implement progressive delivery (blue/green, canary) and rollout safeguards with Argo Rollouts or service mesh.
• Manage artifact repositories/registries (NexArtifactory/Harbor, Quay/OCP Image Registry).

Reliability, Observability & Cost

• Instrument end-to-end observability (logs/metrics/traces) across CI/CD and OCP using tools like Prometheus, Grafana, Loki, ELK/Elastic, and OpenTelemetry.
• Improve pipeline and deployment MTTR, reduce change failure rate, and increase deployment frequency.
• Build capacity & cost visibility for OCP (cluster autoscaling, right-sizing, quota policies, node pools/infra nodes, FinOps guardrails).

Governance & Enablement

• Define governance for branching, release versioning, environment promotions, access control, and compliance evidence.
• Lead inner-source enablement (documentation, starter repos, golden paths, developer portals/Backstage).
• Mentor engineers; lead root cause analysis for platform and release incidents.

Required Qualifications

• 10+ years in DevOps/Platform/SRE/Build & Release; 3+ years in a principal/lead capacity.
• Deep expertise in CI/CD: Git-based workflows; one or more platforms (GitHub Actions, Azure DevOps, Jenkins, GitLab CI). Strong with YAML pipelines, runners/agents, caching, artifact mgmt.
• Expertise in OpenShift (OCP): cluster administration, Operators, Routes/Ingress, SCC/PSa, Quay/registry, Service Mesh (optional), and OCP GitOps (Argo CD). Kubernetes fundamentals required.
• Security: Hands-on with SAST/DAST/SCA, container scanning, SBOMs (CycloneDX/SPDX), image signing (cosign), secrets management (Vault/External Secrets), policy as code (OPA/Gatekeeper/Kyverno).
• Infrastructure as Code: Terraform/ArgoCD Helm/Kustomize; strong GitOps principles.
• Programming/Scripting: Proficiency in Bash and one of Python/Go/TypeScript for tooling and automation.
• Observability: PrometheGrafana, ELK/Elastic/Loki, OpenTelemetry; pipeline telemetry/SLIs.
• Cloud: Experience with at least one major cloud (AWS/Azure/Google Cloud Platform) integrating managed services with OCP (e.g., ROSA/ARO) or IPI/UPI installations.