MANIFEST_SYNC: 0%
← BACK_TO_CENTRAL_LOG
[LOG_ID] #CMP3QWDR//[TIMESTAMP] 2024.02.20 00:00:00//[AUTHOR] BULINDEV ADMIN
Automating Security Scans in CI/CD Pipelines
Learn how to integrate SAST, DAST, and dependency scanning into your CI/CD workflows for continuous security validation.
AUTOMATING SECURITY SCANS IN CI/CD PIPELINES
WHY SECURITY IN CI/CD?
Shift-left security means catching vulnerabilities early in the development lifecycle, reducing costs and risks.
TOOLS AND INTEGRATION
1. SAST (STATIC APPLICATION SECURITY TESTING)
CODE_BLOCK // YAML# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Semgrep
uses: returntocorp/semgrep-action@v12. DEPENDENCY SCANNING
CODE_BLOCK // YAML- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}3. CONTAINER SCANNING
CODE_BLOCK // BASH# Scan Docker images
trivy image myapp:latest --severity HIGH,CRITICAL4. DAST (DYNAMIC APPLICATION SECURITY TESTING)
CODE_BLOCK // YAML- name: OWASP ZAP Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://staging.example.com'BEST PRACTICES
- Fail Fast: Break builds on critical vulnerabilities
- Gradual Rollout: Start with warnings, then enforce
- False Positive Management: Maintain suppression lists
- Regular Updates: Keep scanning tools updated
EXAMPLE PIPELINE
CODE_BLOCK // YAMLstages:
- lint
- test
- security
- build
- deploy
security:
stage: security
script:
- npm audit --audit-level=high
- semgrep --config=auto
- trivy fs .
allow_failure: falseMETRICS AND REPORTING
Track security metrics:
- Vulnerabilities found per build
- Time to remediation
- False positive rate
- Coverage percentage
CONCLUSION
Automated security scanning is essential for modern DevOps. Integrate multiple tools, tune for your environment, and continuously improve.
DOCUMENT_INTEGRITY_VERIFIED_BY_INFRA_ENGINE_V1