What is GitOps?
GitOps is an operational framework that treats Git as the definitive source of truth and leverages Git’s version-control capabilities to manage and automate deployments.
Several core principles drive GitOps effectiveness:
It uses a declarative approach, defining the desired state of infrastructure through configuration files in Git.
GitOps tracks and manages all changes using Git’s version-control system, which creates a complete history of modifications.
The process applies changes automatically by syncing updates from Git to the infrastructure and applications.
GitOps practices continuously monitor the system’s state in real time and enforce alignment with the desired state you declare in Git.
The State of Code Security Report [2025]
GitOps depends on version control security, yet the State of Code Security Report 2025 found that secrets exposure remains a critical risk, with 61% of organizations having secrets in public repositories.
Download report
What is DevOps?
It’s important not to confuse GitOps with Development and Operations (DevOps). While both work together to achieve optimal code security, they’re different operational models.
DevOps combines systems to quickly move reliable builds through continuous integration, consistent delivery, and shared accountability. With it, you get tighter feedback loops, faster deployments, and better collaboration across teams. The set of DevOps practices and technologies allows you to ship code quickly, securely, and at scale.
Here’s a closer comparison of the two models:
| Aspect | Description |
|---|---|
| DevOps | A culture and process that unifies development and operations for faster, more reliable software delivery |
| GitOps | A Git-based deployment model that uses declarative configurations and automated reconciliation to manage infrastructure |
Organizations often use DevOps and GitOps together—they aren’t mutually exclusive. Teams typically use GitOps to apply DevOps principles by managing infrastructure through Git, which offers built-in automation and security.
CI/CD Pipeline Security Best Practices [Cheat Sheet]
In this 13 page cheat sheet we'll cover best practices in the following areas of the CI/CD pipeline: Infrastructure security, code security, secrets management, access and authentication, monitoring and response.
Download Cheat Sheet
How does GitOps work?
Using GitOps to improve your cloud security is especially important. According to Wiz’s State of Code Security in 2025, “GitHub leads the pack with 80% of total repos.” This dominance makes GitHub a high-value target for attackers, and any misconfiguration or leaked secret can have a wide blast radius. With so much of your infrastructure defined in code and stored in Git, securing these repos is the foundation for protecting your cloud environments.
Here’s a breakdown of how GitOps works:
Declarative IaC
Declarative infrastructure-as-code (IaC) is the backbone of GitOps. Instead of scripting every step manually, you use it to define what your infrastructure should look like, and use Git to execute the desired state. This makes your environment predictable, repeatable, and easy to audit.
With Wiz’s IAC scanning, teams get visibility into how those declarations translate into real-world cloud posture. Our platform also helps you catch misconfigurations and enforce security policies from the very first commit, giving you confidence that what’s in Git is actually what’s running.
Version-controlled system state
Git isn’t just for source code—it’s also a full history of your infrastructure. It logs and reviews changes, making quick rollbacks easy if a misconfiguration or disruption occurs. That kind of traceability is a game-changer for teams dealing with audits and compliance or trying to make sense of their complex environments.
An effective cloud-native application protection platform (CNAPP) builds on these capabilities by mapping changes to real-time risk context. If a commit introduces something risky, for instance, the platform flags it before it hits production. And if you need to roll back, you know exactly which state was safe.
Automated reconciliation loops
Reconciliation loops demonstrate the real power of GitOps. These loops constantly check your running infrastructure against what’s declared in Git and automatically bring it back into line when drift occurs. Think of them as a vigilant security guard that never sleeps.
Pairing reconciliation loops with a CNAPP like Wiz makes them even smarter. Our platform surfaces risk-based drift, not just config drift, so your teams know what to fix first and why it matters.
The benefits and challenges of GitOps
Below are some key advantages and disadvantages of GitOps:
| Benefits | Challenges |
|---|---|
| Ensures consistent, drift-free deployments | Requires strong Kubernetes expertise |
| Enables fast, Git-based rollback | Adds complexity to Git workflows (branches, merges, permissions) |
| Creates a clear, auditable change history | Presents a steep learning curve for teams new to Git or declarative IaC |
| Improves collaboration through familiar Git flows | Has limited support for hybrid or non-Kubernetes environments |
| Supports automated recovery via reconciliation | Lacks built-in visibility into risk without tools like Wiz |
In SecOps, applying GitOps principles is particularly challenging. The CTO of container security at Wiz, Ofir Cohen, expressed this reality and how to approach it in a viral Reddit Ask Me Anything on r/cybersecurity. He said that “it's not just about the decision tree automation and stopping the bleeding; it's also about [the ability to ask] interactive questions during triage and investigation.”
Fragmentation, human-in-the-loop decision-making, and tool trust gaps in particular often make security workflows harder to automate than infrastructure workflows. That’s why a unified approach to cloud-native security, like a CNAPP, creates a holistic and more effective way to develop safe and efficient code.
Real-world example: Why you need proactive GitOps practices
In March 2025, Wiz Research uncovered a supply chain attack that directly impacted GitOps workflows. During this event, attackers compromised the reviewdog/action-setup@v1 GitHub Action and injected base64-encoded code into CI pipelines. This malicious payload exposed secrets stored in CI runner memory, shattering the trust that GitOps places in version-controlled, automated deployments.
The incident likely led to the compromise of tj-actions/changed-files, another common GitHub Action in GitOps pipelines. By modifying action tags and reverting them quickly, the attackers bypassed typical audit trails and briefly aligned Git with an unsafe, drifted state.
This attack highlights a critical GitOps risk: treating Git as the single source of truth only works if the artifacts that Git references are themselves secure.
🛠️ Action step: To protect your GitOps pipeline, pin dependencies to commit hashes, enforce policy-as-code at every step, and use runtime context to detect risky changes before they break alignment.
GitOps tools
The following tools each play a unique role in helping teams manage infrastructure and deployments through Git-centric workflows:
1. Git
Git is the foundation of GitOps. It stores the declarative configuration files that define your infrastructure and serves as the single source of truth.
Strengths:
Has wide developer trust
Tracks changes and supports collaboration
Provides a complete audit history
What to keep in mind: The tool doesn’t automate anything on its own and requires pairing with tools like Argo CD or Flux to sync infrastructure.
2. Flux
Flux watches your Git repos and automatically applies changes to your Kubernetes clusters.
Strengths:
Offers a modular, lightweight architecture
Handles multi-team and multi-tenant setups well
Integrates tightly with Git workflows
What to keep in mind: The solution requires Kubernetes expertise to set up and run, and it relies heavily on CLI and YAML with limited UI support.
3. Argo CD
Argo CD syncs what’s in Git with what’s running in your Kubernetes clusters, providing a visual way to manage the process.
Strengths:
Provides a user-friendly UI and clear observability
Manages multiple applications across environments with ease
Makes GitOps more accessible to teams
What to keep in mind: The tool works only with Kubernetes and can become resource-heavy in large deployments.
4. Kubernetes
Kubernetes runs the infrastructure that GitOps tools manage and executes the configurations stored in Git.
Strengths:
Natively supports declarative infrastructure
Works seamlessly with GitOps tools like Argo CD and Flux
What to keep in mind: The tool has a steep learning curve and requires skilled operators to manage its complexity.
5. Open Policy Agent
Open Policy Agent (OPA) helps teams catch misconfigurations early in the GitOps pipeline before they apply changes to production. It works well alongside tools like Argo CD or Flux by blocking risky deployments based on custom or pre-built policies.
Strengths:
Enforces real-time guardrails across the Kubernetes workload
Integrates smoothly with GitOps CI/CD pipelines
Supports custom policies in Rego
What to keep in mind: The platform, which requires familiarity with policy-as-code and the Rego syntax, focuses only on enforcement and doesn’t provide visibility or risk prioritization.
Key security features in GitOps workflows
When you combine GitOps with security best practices, you get speed, safety, consistency, and trust. These advantages are essential when your business depends on the cloud.
For example, here’s what advanced security features in your Git workflows look like with Wiz:
Policy-as-code guardrails
Policy-as-code lets you define the rules once and enforce them everywhere. It automatically checks all configurations, from infrastructure settings to security source controls, as part of your pipeline.
Wiz integrates directly with these workflows to provide real-time, context-aware feedback. That means fewer surprises, tighter guardrails, and better collaboration between teams without creating friction.
Audit-ready commit validation
Every change in Git is a decision. Commit validation turns those decisions into checkpoints so nothing risky moves forward without scrutiny.
With Wiz, you get automatic risk detection at commit time, mapped to compliance standards and real-world impact. Whether you're proving controls to a regulator or ensuring critical changes don’t introduce new risks, this gives you the comprehensive audit trail and assurance you need to sleep at night.
Real-time policy enforcement
Security shouldn’t be something you check after deployment—it has to be part of the process. And that’s precisely what real-time enforcement does.
Wiz helps by continuously monitoring your environment, comparing it to your Git source of truth, and flagging anything that’s out of bounds. If there’s a critical risk, Wiz will alert you or even auto-remediate the issue. That way, you can keep your cloud clean and compliant without manual effort.
Where do DevOps and GitOps overlap?
Despite their differences, GitOps and DevOps share several common goals and practices. For instance, they both accelerate delivery by shortening the software development lifecycle and enabling faster releases. And by emphasizing improved collaboration, both approaches foster cooperation between development and operations teams.
GitOps and DevOps share the key objective of enhancing automation, leveraging it to reduce manual tasks, minimize errors, and boost efficiency.
Both GitOps and DevOps incorporate the following practices as well:
Infrastructure as code (IaC): Uses IaC to manage and provision infrastructure through code
CI/CD pipelines: Employs CI/CD pipelines to automate key processes of the software development lifecycle, like code building and deployment
Automated testing: Leverages automated testing to ensure the quality and reliability of code changes
DevOps and GitOps: Where do they differ?
While GitOps and DevOps share similarities, they feature critical differences in their processes, workflows, tooling, and use cases. Here are ways the two differ:
Process and workflow differences
DevOps covers the full software development lifecycle and emphasizes collaboration, automation, and CI/CD across teams.
GitOps narrows the focus to deployment, using Git as the source of truth and automating delivery through Git-based workflows.
Tooling and implementation
DevOps teams use a broad mix of tools, including Jenkins, Docker, Kubernetes, Ansible, and Terraform, to build, test, and deploy.
GitOps teams rely on Git and Kubernetes (as the dominant environment) and leverage tools like Flux and Argo CD to automate deployment and manage infrastructure state.
Use cases and scenarios
DevOps works well for a wide range of environments, from on-premise setups to hybrid and cloud-native applications.
GitOps fits best into Kubernetes-based, cloud-native environments that benefit from declarative infrastructure and automation.
Here’s a quick reference guide that summarizes the similarities and differences between DevOps and GitOps:
| Aspect | DevOps | GitOps |
|---|---|---|
| Primary focus | Development and operations integration | Git-based infrastructure management |
| Tooling | CI/CD tools and IaC | Git and Kubernetes |
| Automation | CI/CD pipelines | Git workflows and controller-based reconciliation (e.g., Argo CD, Flux) |
| Implementation | Broad and adaptable to various environments | Specific to Kubernetes and Git |
| Rollback capabilities | Tool-dependent | Git history–based |
| Use cases | Wide applicability | Best for cloud-native apps that run on Kubernetes |
How do you choose between DevOps and GitOps?
Choosing between DevOps and GitOps isn’t about picking one over the other. Instead, it’s about matching the right approach to where your organization is today and where it’s going.
Here’s how you can use the models for key use cases:
Team maturity and skills: If your team already has strong Git and Kubernetes experience, GitOps can enhance what you’re already doing by introducing automation and consistency. But if your organization is earlier in its cloud journey or works with a broader set of environments, DevOps may offer the flexibility you need to ramp up maturity.
Tooling and workflows: GitOps will fit naturally into your workflow if you're already using Git as your source of truth and have CI/CD pipelines in place. However, DevOps can be a better starting point if your teams are still standardizing workflows or managing a mix of legacy and modern infrastructure.
Compliance and auditability: GitOps simplifies demonstrating control and traceability because Git acts as the single source of truth, versioning and tracking every declarative change. DevOps also supports compliance through structured pipelines, policy-as-code, and change tracking, but achieving full traceability often requires integrating with multiple tools. When you combine either approach with Wiz, you enforce compliance-readiness with automated risk mapping and audit trails.
Team size and scale: Smaller teams rely on GitOps for automation and self-healing because it cuts down manual work and prevents configuration drift. As teams scale, larger organizations often adopt a hybrid model. By integrating GitOps into existing DevOps workflows, they drive consistency and control across distributed environments.
Ultimately, you don’t have to choose one or the other. Many organizations successfully start with DevOps practices and then adopt GitOps incrementally. For example, tools like Argo CD make it easy to evolve your deployment model, while Wiz helps you secure every stage, from commit to runtime. That way, your cloud operations stay fast, secure, and compliant.
This hybrid approach allows organizations to achieve the following:
Leverage the cultural and collaborative benefits of DevOps.
Implement the specific, Git-centric deployment and infrastructure management practices of GitOps.
Tailor the approach to different teams or projects within the organization, based on their specific needs and technological contexts.
The choice between DevOps and GitOps (or a combination of both) requires consideration of your organization's specific goals, existing practices, technology stack, and the nature of your projects. By carefully considering these factors, you can select the approach that best supports your continuous delivery objectives, driving secure software development success.
Moving forward with GitOps
DevOps and GitOps work best together. DevOps drives collaboration, automation, and faster delivery, and GitOps builds on that foundation by using Git to manage infrastructure with consistency, traceability, and control.
Each model brings its own distinct strengths. DevOps, for example, supports flexibility across environments. GitOps streamlines deployment in Kubernetes-native, cloud-first systems. Together, they help teams scale fast and stay secure.
Wiz secures both models by providing teams with full visibility from commit to runtime, automatically enforcing policies, and flagging risks before they reach production. Whether you’re building a DevOps pipeline, adopting GitOps, or running both, Wiz helps you move fast without compromising security, quality, and production.
Ready to get started? Schedule a demo today to see how Wiz can strengthen security across your pipeline.
Security Built for Devs and DevOps
Learn why Wiz is one of the few cloud security platforms loved by both security and DevOps teams.
