Tips and Tricks #208: Automate Security Scanning in CI Pipeline

Published on November 19, 2025

Catch vulnerabilities early by integrating security scanning into your CI workflow.

Code Snippet

# .github/workflows/security.yml
name: Security Scan
on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 * * *'  # Daily scan

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'
      
      - name: Run SAST with Semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: p/default

Why This Helps

Catches vulnerabilities before production
Automated compliance checking
Shift-left security approach

How to Test

Introduce known vulnerable dependency
Verify pipeline fails appropriately

When to Use

Every project. Essential for healthcare, financial services, and regulated industries.

Performance/Security Notes

Start with high/critical only to avoid alert fatigue. Gradually increase coverage.

References

Try this tip in your next project and share your results in the comments!

Discover more from Byte Architect

Subscribe to get the latest posts sent to your email.

Previous

Tips and Tricks #209: Use Terraform Modules for Reusable Infrastructure

Next

Tips and Tricks #207: Implement Trunk-Based Development with Feature Flags

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Searching in

Enter search term to find items

to navigate, to select, and to close