Tips and Tricks #48: Automate Security Scanning in CI Pipeline

Published on January 3, 2025

Catch vulnerabilities early by integrating security scanning into your CI workflow.

Code Snippet

# .github/workflows/security.yml
name: Security Scan
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 * * *'  # Daily scan

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'
      
      - name: Run SAST with Semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: p/default

Why This Helps

Catches vulnerabilities before production
Automated compliance checking
Shift-left security approach

How to Test

Introduce known vulnerable dependency
Verify pipeline fails appropriately

When to Use

Every project. Essential for healthcare, financial services, and regulated industries.

Performance/Security Notes

Start with high/critical only to avoid alert fatigue. Gradually increase coverage.

References

Try this tip in your next project and share your results in the comments!

Discover more from Code, Cloud & Context

Subscribe to get the latest posts sent to your email.

Previous

Tips and Tricks #49: Use Terraform Modules for Reusable Infrastructure

Next

Tips and Tricks #47: Implement Trunk-Based Development with Feature Flags

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Searching in

Enter search term to find items

to navigate, to select, and to close