diff --git a/.github/workflows/devsecops.yml b/.github/workflows/devsecops.yml
new file mode 100644
index 0000000000..bd189cf299
--- /dev/null
+++ b/.github/workflows/devsecops.yml
@@ -0,0 +1,87 @@
+name: DevSecOps CI Pipeline
+
+on:
+  push:
+    branches: [ "main", "master", "feature/security-pipeline" ]
+
+permissions:
+  security-events: write
+  actions: read
+  contents: read
+
+jobs:
+  # ----------------------------------------------------
+  # JOB 1: Análisis de la Aplicación (SAST + SCA)
+  # ----------------------------------------------------
+  application-scans:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout del código
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Escaneo de Secretos con Gitleaks
+      uses: gitleaks/gitleaks-action@v2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      continue-on-error: true 
+
+    - name: Inicializar CodeQL (SAST)
+      uses: github/codeql-action/init@v3
+      with:
+        languages: 'javascript'
+
+    - name: Auto-compilación de CodeQL
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Ejecutar Análisis de CodeQL
+      uses: github/codeql-action/analyze@v3
+      continue-on-error: true
+
+    - name: Configurar Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18'
+
+    - name: Instalar dependencias del proyecto
+      run: npm install
+
+    - name: Escaneo de dependencias con Snyk (SCA)
+      uses: snyk/actions/node@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        args: --severity-threshold=high
+      continue-on-error: true 
+
+  # ----------------------------------------------------
+  # JOB 2: Análisis de Infraestructura (Contenedores)
+  # ----------------------------------------------------
+  infrastructure-scans:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout del código
+      uses: actions/checkout@v4
+
+    - name: Configurar Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Construir Imagen Docker Local para pruebas
+      run: |
+        docker build -t nodegoat:local .
+
+    - name: Escaneo de Seguridad del Contenedor con Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: 'nodegoat:local'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Subir resultados de Trivy a GitHub Security
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+        category: 'trivy'
\ No newline at end of file