Automation is key to keep developers productive and motivated. Indeed, humans are not efficient at repetitive tasks, while computers are brilliant.
Everything that can be automated with a positive ROI in a reasonable time shall be automated.
Automated code reviews, SAST (Static Application Security Testing) are easy to integrate in the CI/CD pipelines. Popular open source tools include bandit, sonarqube, and many commercial tools are also available.
Dependency check is also fundamental, considering that most projects involve considerable amount of external code. Popular open source tools include OWASP Dependency Check, Trivy.
DAST (Dynamic Application Security Testing) is more difficult to integrate in CI/CD pipelines. However, it can be relatively easy to integrate nmap, Nikto or OpenVAS (or similar commercial product) at integration phase, to provide a safety net in case of error.
The detection of secrets in code repositories is particularly relevant to automate. As often, there are a bunch of open-source tools (e.g. Truffle Hog) and commercial ones (e.g. GitGuardian) to perform that. It is also worth noting that Github includes a "secret scanning" feature, and Gitlab a "secret detection" feature, that provides that sort of control.
Many Compliance checks can also be automated. For example, mitigations foreseen during risk assessment can be traced for effective integration through dedicated stories. Then it is possible to automatically determine if the mitigation is applied or not.
Reporting shall be fully automated. See section 6 for more details on reporting.
Apache Airflow is a great tool to manage the automation workflows.