Dast on Adurhttps://adurrr.github.io/en/tags/dast/Recent content in Dast on AdurHugo -- gohugo.ioenSun, 12 May 2024 00:00:00 +0000SAST/DAST integration in CI/CD pipelineshttps://adurrr.github.io/en/p/sast/dast-integration-in-ci/cd-pipelines/Sun, 12 May 2024 00:00:00 +0000https://adurrr.github.io/en/p/sast/dast-integration-in-ci/cd-pipelines/<h2 id="sast-vs-dast-understanding-the-difference">SAST vs DAST: Understanding the Difference </h2><p>Application security testing has two fundamental approaches, and knowing when to use each matters for your security posture.</p> <p><strong>SAST (Static Application Security Testing)</strong> reads source code, bytecode, or binaries without running the app. It looks for patterns that match known vulnerabilities (SQL injection, XSS, hardcoded credentials, insecure deserialization). Think of it like a security linter that flags dangerous patterns.</p> <p><strong>DAST (Dynamic Application Security Testing)</strong> tests a <em>running application</em> by sending crafted requests and analyzing responses. It simulates what an attacker would do: probe endpoints, test authentication, look for misconfigurations. DAST sees the app from outside, like a real attacker would.</p> <table> <thead> <tr> <th>Aspect</th> <th>SAST</th> <th>DAST</th> </tr> </thead> <tbody> <tr> <td>When it runs</td> <td>Build time, on source code</td> <td>Runtime, against deployed app</td> </tr> <tr> <td>What it finds</td> <td>Code flaws, hardcoded secrets, insecure patterns</td> <td>Runtime vulnerabilities, misconfigurations, auth issues</td> </tr> <tr> <td>False positive rate</td> <td>Higher (no runtime context)</td> <td>Lower (tests real behavior)</td> </tr> <tr> <td>Language dependency</td> <td>Yes (needs language-specific rules)</td> <td>No (tests HTTP/API layer)</td> </tr> <tr> <td>Coverage</td> <td>All code paths (including dead code)</td> <td>Only reachable endpoints</td> </tr> <tr> <td>Speed</td> <td>Fast (seconds to minutes)</td> <td>Slower (minutes to hours)</td> </tr> <tr> <td>Best stage</td> <td>Every commit/PR</td> <td>Staging or pre-production</td> </tr> </tbody> </table> <p>Short answer: <strong>use both</strong>. SAST catches problems early and cheap. DAST catches problems that only show up at runtime. They complement each other.</p> <h2 id="tool-comparison">Tool comparison </h2><h3 id="sast-tools">SAST tools </h3><table> <thead> <tr> <th>Tool</th> <th>Languages</th> <th>Strengths</th> <th>License</th> </tr> </thead> <tbody> <tr> <td><strong>Semgrep</strong></td> <td>30+ languages</td> <td>Fast, custom rules, great CI integration</td> <td>OSS + Commercial</td> </tr> <tr> <td><strong>SonarQube</strong></td> <td>25+ languages</td> <td>Broad ecosystem, quality gates, dashboard</td> <td>Community + Commercial</td> </tr> <tr> <td><strong>Bandit</strong></td> <td>Python only</td> <td>Python-specific, lightweight, easy setup</td> <td>OSS (Apache 2.0)</td> </tr> <tr> <td><strong>CodeQL</strong></td> <td>10+ languages</td> <td>Deep semantic analysis, GitHub native</td> <td>Free for OSS</td> </tr> </tbody> </table> <h3 id="dast-tools">DAST tools </h3><table> <thead> <tr> <th>Tool</th> <th>Type</th> <th>Strengths</th> <th>License</th> </tr> </thead> <tbody> <tr> <td><strong>OWASP ZAP</strong></td> <td>Proxy-based scanner</td> <td>Full-featured, scriptable, community rules</td> <td>OSS (Apache 2.0)</td> </tr> <tr> <td><strong>Burp Suite</strong></td> <td>Proxy-based scanner</td> <td>Best-in-class manual + automated testing</td> <td>Commercial</td> </tr> <tr> <td><strong>Nuclei</strong></td> <td>Template-based scanner</td> <td>Fast, huge template library, CI-friendly</td> <td>OSS (MIT)</td> </tr> </tbody> </table> <p>For most teams, <strong>Semgrep + OWASP ZAP</strong> provides an excellent open-source foundation that covers both SAST and DAST without licensing costs.</p> <h2 id="gitlab-ci-pipeline-integration">GitLab CI pipeline integration </h2><p>Here is a complete <code>.gitlab-ci.yml</code> example that integrates both SAST and DAST into a pipeline with proper gating:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">sast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">dast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy-production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEMGREP_RULES</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;p/owasp-top-ten p/security-audit&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ZAP_TARGET_URL</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://staging.example.com&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- SAST Stage ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">semgrep-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">sast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">semgrep/semgrep:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep ci --config &#34;$SEMGREP_RULES&#34; --json --output semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> # Fail pipeline if high/critical findings exceed threshold </span></span></span><span class="line"><span class="cl"><span class="sd"> HIGH_COUNT=$(cat semgrep-results.json | jq &#39;[.results[] | select(.extra.severity == &#34;ERROR&#34;)] | length&#39;) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;High severity findings: $HIGH_COUNT&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$HIGH_COUNT&#34; -gt 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Pipeline blocked: $HIGH_COUNT high severity findings&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">bandit-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">sast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">python:3.11-slim</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">pip install bandit</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">bandit -r src/ -f json -o bandit-results.json --severity-level medium || true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> HIGH_COUNT=$(cat bandit-results.json | jq &#39;.results | map(select(.issue_severity == &#34;HIGH&#34;)) | length&#39;) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Bandit high severity findings: $HIGH_COUNT&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$HIGH_COUNT&#34; -gt 3 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">bandit-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">only</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">merge_requests</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">main</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- Deploy Staging ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">deploy-staging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">deploy-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">echo &#34;Deploying to staging...&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./deploy.sh staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l">https://staging.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- DAST Stage ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">owasp-zap-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">dast</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io/zaproxy/zaproxy:stable</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">mkdir -p /zap/wrk</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> zap-full-scan.py \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -t &#34;$ZAP_TARGET_URL&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -r zap-report.html \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -J zap-results.json \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -l WARN \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -d</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> # Parse results and enforce policy </span></span></span><span class="line"><span class="cl"><span class="sd"> HIGH_ALERTS=$(cat zap-results.json | jq &#39;[.site[].alerts[] | select(.riskcode == &#34;3&#34;)] | length&#39;) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;High risk alerts: $HIGH_ALERTS&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$HIGH_ALERTS&#34; -gt 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Pipeline blocked: $HIGH_ALERTS high risk vulnerabilities found&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">zap-report.html</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">zap-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependencies</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy-staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># --- Deploy Production ---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">deploy-production</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">deploy-production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">echo &#34;Deploying to production...&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">./deploy.sh production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">manual</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">only</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">main</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The key design decisions in this pipeline:</p> <ul> <li><strong>SAST runs on every merge request</strong>, catching issues before code merges</li> <li><strong>DAST runs against staging</strong>, testing the deployed application</li> <li><strong>Thresholds are configurable</strong>: zero tolerance for high/critical SAST findings, but some flexibility for lower severities</li> <li><strong>Reports are always saved as artifacts</strong>, even when the pipeline passes</li> <li><strong>Production deploy is manual</strong>, gated behind both SAST and DAST stages</li> </ul> <h2 id="handling-false-positives">Handling False Positives </h2><p>False positives are the number one reason teams abandon security scanning. Handle them systematically:</p> <h3 id="for-semgrep">For Semgrep </h3><p>Create a <code>.semgrepignore</code> file or use inline annotations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># nosemgrep: python.lang.security.audit.hardcoded-password</span> </span></span><span class="line"><span class="cl"><span class="n">DEFAULT_TEST_PASSWORD</span> <span class="o">=</span> <span class="s2">&#34;test123&#34;</span> <span class="c1"># Only used in test fixtures</span> </span></span></code></pre></td></tr></table> </div> </div><p>For persistent false positives, create a <code>semgrep-exclusions.yml</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">ignore-test-passwords</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span><span class="l">$X = &#34;...&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exclude</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">tests/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">fixtures/</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="for-owasp-zap">For OWASP ZAP </h3><p>Use a context file to exclude known false positives:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-xml" data-lang="xml"><span class="line"><span class="cl"><span class="nt">&lt;alertFilter&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;ruleId&gt;</span>10038<span class="nt">&lt;/ruleId&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;url&gt;</span>https://staging.example.com/api/health<span class="nt">&lt;/url&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;urlIsRegex&gt;</span>false<span class="nt">&lt;/urlIsRegex&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;enabled&gt;</span>true<span class="nt">&lt;/enabled&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nt">&lt;newRisk&gt;</span>-1<span class="nt">&lt;/newRisk&gt;</span> <span class="c">&lt;!-- -1 = False Positive --&gt;</span> </span></span><span class="line"><span class="cl"><span class="nt">&lt;/alertFilter&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>The golden rule: <strong>every suppression must include a justification comment</strong> explaining why it is safe to ignore. Review suppressions quarterly.</p> <h2 id="threshold-and-gate-policies">Threshold and Gate Policies </h2><p>Define clear policies per environment and severity:</p> <table> <thead> <tr> <th>Severity</th> <th>PR/MR Gate</th> <th>Main Branch Gate</th> <th>Pre-Production</th> </tr> </thead> <tbody> <tr> <td>Critical</td> <td>Block</td> <td>Block</td> <td>Block</td> </tr> <tr> <td>High</td> <td>Block</td> <td>Block</td> <td>Warn</td> </tr> <tr> <td>Medium</td> <td>Warn</td> <td>Warn</td> <td>Info</td> </tr> <tr> <td>Low</td> <td>Info</td> <td>Info</td> <td>Info</td> </tr> </tbody> </table> <p>Implement these as exit codes in your CI scripts. Start permissive and tighten over time &ndash; blocking on everything from day one will create frustration and workarounds.</p> <h2 id="reporting-and-dashboards">Reporting and Dashboards </h2><p>Aggregate results from both SAST and DAST into a centralized view:</p> <ul> <li><strong>DefectDojo</strong>: open-source vulnerability management platform that ingests reports from Semgrep, ZAP, Bandit, and dozens of other tools</li> <li><strong>GitLab Security Dashboard</strong>: native integration if you are on GitLab Ultimate</li> <li><strong>Custom dashboards</strong>: push scan results to Elasticsearch and visualize in Grafana</li> </ul> <p>Track these metrics over time:</p> <ul> <li>Mean time to remediate (MTTR) per severity</li> <li>Total open vulnerabilities by age</li> <li>False positive rate (suppressions vs total findings)</li> <li>Scan coverage (percentage of repos with security scanning enabled)</li> </ul> <h2 id="iast-as-a-complement">IAST as a Complement </h2><p><strong>IAST (Interactive Application Security Testing)</strong> combines elements of both SAST and DAST by instrumenting the application at runtime. An agent runs inside the application during testing, correlating HTTP requests with code execution paths.</p> <p>IAST tools like Contrast Security and Datadog Application Security provide:</p> <ul> <li>Lower false positive rates than SAST</li> <li>Code-level context that DAST lacks</li> <li>Real-time feedback during QA testing</li> </ul> <p>Consider IAST as a third layer once SAST and DAST are mature in your pipeline.</p> <h2 id="practical-rollout-strategy">Practical Rollout Strategy </h2><p>Deploying security scanning organization-wide requires phases:</p> <h3 id="phase-1-visibility-weeks-1-4">Phase 1: Visibility (Weeks 1-4) </h3><ul> <li>Enable SAST in CI with <code>allow_failure: true</code> (don&rsquo;t block)</li> <li>Generate reports, keep as artifacts</li> <li>Find top vulnerability categories</li> <li>Establish baseline metrics</li> </ul> <h3 id="phase-2-selective-gating-weeks-5-8">Phase 2: Selective Gating (Weeks 5-8) </h3><ul> <li>Block only critical/high SAST findings</li> <li>Add DAST scans to staging for key apps</li> <li>Create suppression and triage workflows</li> <li>Train developers how to interpret and fix findings</li> </ul> <h3 id="phase-3-full-integration-weeks-9-12">Phase 3: Full Integration (Weeks 9-12) </h3><ul> <li>Enforce SAST gates everywhere</li> <li>Enforce DAST gates on all web apps</li> <li>Integrate with vulnerability management platform</li> <li>Auto-create tickets for findings</li> </ul> <h3 id="phase-4-continuous-improvement-ongoing">Phase 4: Continuous Improvement (Ongoing) </h3><ul> <li>Write custom Semgrep rules for your patterns</li> <li>Tune ZAP policies to reduce scan time</li> <li>Track MTTR, set improvement targets</li> <li>Quarterly reviews of false positives</li> </ul> <p>Biggest mistake: jumping straight to Phase 3. Start with visibility, build trust, tighten gradually. Scanning should help, not block.</p>CI/CD pipeline security: a shift-left approachhttps://adurrr.github.io/en/p/ci/cd-pipeline-security-a-shift-left-approach/Mon, 20 Jun 2022 00:00:00 +0000https://adurrr.github.io/en/p/ci/cd-pipeline-security-a-shift-left-approach/<h2 id="what-is-shift-left-security">What is shift-left security? </h2><p>Shift-left security means moving security practices earlier in the software development lifecycle. Rather than treating security as a final gate (or worse, an afterthought) before production, you embed security checks directly into your CI/CD pipelines. This catches vulnerabilities when they&rsquo;re cheapest to fix: at development time.</p> <p>The traditional &ldquo;build it, then audit it&rdquo; model doesn&rsquo;t scale. Modern applications ship dozens of times a day. If your security review is a manual quarterly process, you&rsquo;re deploying vulnerable code most of the time.</p> <h2 id="threat-vectors-in-cicd-pipelines">Threat vectors in CI/CD pipelines </h2><p>Before hardening your pipeline, understand what you&rsquo;re defending against. CI/CD systems are high-value targets because they have access to production credentials, source code, and build artifacts.</p> <p>Common threat vectors include:</p> <ul> <li><strong>Compromised dependencies</strong>: A malicious package in your dependency tree (supply chain attack).</li> <li><strong>Leaked secrets</strong>: API keys, tokens, or passwords committed to source code or exposed in build logs.</li> <li><strong>Code vulnerabilities</strong>: SQL injection, XSS, insecure deserialization, and other OWASP Top 10 issues introduced in your application code.</li> <li><strong>Insecure pipeline configuration</strong>: Overly permissive runner access, unprotected branch rules, or missing approval gates.</li> <li><strong>Container image vulnerabilities</strong>: Base images with known CVEs that end up in production.</li> <li><strong>Build artifact tampering</strong>: Unsigned or unverified artifacts that attackers can replace.</li> </ul> <h2 id="integrating-sast-into-your-pipeline">Integrating SAST into your pipeline </h2><p><strong>Static Application Security Testing (SAST)</strong> analyzes source code without executing it. It catches vulnerabilities early, before code even runs.</p> <h3 id="recommended-tools">Recommended tools </h3><ul> <li><strong>Semgrep</strong>: Fast, flexible, and supports custom rules. Works across many languages. My top recommendation for most teams.</li> <li><strong>Bandit</strong>: Python-specific. Excellent for Python projects because it understands Python-specific security patterns.</li> <li><strong>SonarQube</strong>: Broader scope (code quality and security combined). Heavier to set up but useful if you want a single dashboard.</li> </ul> <h3 id="running-semgrep-locally">Running Semgrep locally </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">pip install semgrep </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run with default rulesets</span> </span></span><span class="line"><span class="cl">semgrep --config auto . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run with OWASP Top 10 rules specifically</span> </span></span><span class="line"><span class="cl">semgrep --config <span class="s2">&#34;p/owasp-top-ten&#34;</span> . </span></span></code></pre></td></tr></table> </div> </div><h3 id="running-bandit-for-python-projects">Running Bandit for Python projects </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pip install bandit </span></span><span class="line"><span class="cl">bandit -r ./src -f json -o bandit-report.json </span></span></code></pre></td></tr></table> </div> </div><p>The key is to run these tools on every pull request, not just on the main branch. Developers should see findings before code is merged.</p> <h2 id="integrating-dast-into-your-pipeline">Integrating DAST into your pipeline </h2><p><strong>Dynamic Application Security Testing (DAST)</strong> tests the running application from the outside, simulating an attacker. It catches issues that SAST misses (misconfigurations, authentication flaws, and runtime vulnerabilities).</p> <h3 id="owasp-zap">OWASP ZAP </h3><p>OWASP ZAP is the standard open-source DAST tool. You can run it in your pipeline against a staging deployment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Pull the ZAP Docker image</span> </span></span><span class="line"><span class="cl">docker pull ghcr.io/zaproxy/zaproxy:stable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run a baseline scan against a target URL</span> </span></span><span class="line"><span class="cl">docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py <span class="se">\ </span></span></span><span class="line"><span class="cl"> -t https://staging.example.com <span class="se">\ </span></span></span><span class="line"><span class="cl"> -r zap-report.html </span></span></code></pre></td></tr></table> </div> </div><p>DAST is typically slower than SAST. Run it after deployment to a staging environment rather than on every commit. A nightly or per-release cadence works well for most teams.</p> <h2 id="secret-scanning">Secret scanning </h2><p>Leaked secrets are one of the most common and damaging security failures. Once a secret makes it into Git history, consider it compromised, even if you remove it in a later commit.</p> <h3 id="tools">Tools </h3><ul> <li><strong>gitleaks</strong>: Scans Git repositories for secrets using regex and entropy-based detection.</li> <li><strong>trufflehog</strong>: Searches through Git history for high-entropy strings and known secret patterns.</li> </ul> <h3 id="running-gitleaks">Running gitleaks </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">brew install gitleaks <span class="c1"># or download binary from GitHub releases</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan the current repo</span> </span></span><span class="line"><span class="cl">gitleaks detect --source . --report-path gitleaks-report.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan in CI (detect only new leaks in the PR)</span> </span></span><span class="line"><span class="cl">gitleaks detect --source . --log-opts<span class="o">=</span><span class="s2">&#34;origin/main..HEAD&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="pre-commit-hook">Pre-commit hook </h3><p>Block secrets before they even reach the remote:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># .pre-commit-config.yaml</span> </span></span><span class="line"><span class="cl">repos: </span></span><span class="line"><span class="cl"> - repo: https://github.com/gitleaks/gitleaks </span></span><span class="line"><span class="cl"> rev: v8.16.1 </span></span><span class="line"><span class="cl"> hooks: </span></span><span class="line"><span class="cl"> - id: gitleaks </span></span></code></pre></td></tr></table> </div> </div><h2 id="dependency-scanning">Dependency scanning </h2><p>Your application is only as secure as its weakest dependency. Supply chain attacks are increasing, so you need to scan your dependency tree regularly.</p> <h3 id="tools-1">Tools </h3><ul> <li><strong>Trivy</strong>: Scans container images, filesystems, and Git repos for vulnerabilities. Fast and comprehensive.</li> <li><strong>Snyk</strong>: Commercial option with a generous free tier. Good developer experience.</li> <li><strong>OWASP Dependency-Check</strong>: Mature, open-source, supports multiple ecosystems.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan a container image with Trivy</span> </span></span><span class="line"><span class="cl">trivy image my-app:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan the filesystem for vulnerable dependencies</span> </span></span><span class="line"><span class="cl">trivy fs --severity HIGH,CRITICAL . </span></span></code></pre></td></tr></table> </div> </div><h2 id="github-actions-workflow-with-security-stages">GitHub Actions workflow with security stages </h2><p>Here is a practical GitHub Actions workflow that integrates all the security stages discussed above:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Secure CI/CD Pipeline</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pull_request</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Secret Scanning</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fetch-depth</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run gitleaks</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">gitleaks/gitleaks-action@v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GITHUB_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sast</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Static Analysis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Semgrep</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">returntocorp/semgrep-action@v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> p/security-audit </span></span></span><span class="line"><span class="cl"><span class="sd"> p/owasp-top-ten</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Bandit (Python)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> pip install bandit </span></span></span><span class="line"><span class="cl"><span class="sd"> bandit -r ./src -f json -o bandit-report.json || true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload SAST reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/upload-artifact@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sast-reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*.json&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependency-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Dependency Scanning</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy filesystem scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scan-type</span><span class="p">:</span><span class="w"> </span><span class="l">fs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH,CRITICAL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-and-scan-image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build &amp; Scan Image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">secret-scan, sast, dependency-scan]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build Docker image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">docker build -t my-app:${{ github.sha }} .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Scan image with Trivy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="l">my-app:${{ github.sha }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH,CRITICAL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy-staging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy to Staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">build-and-scan-image]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy to staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">echo &#34;Deploy to staging environment&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dast</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Dynamic Analysis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">deploy-staging]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">OWASP ZAP Baseline Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">zaproxy/action-baseline@v0.9.0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://staging.example.com&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Notice the deliberate ordering: secret scanning, SAST, and dependency scanning run in parallel (fast feedback). Image scanning runs after build. DAST runs after staging deployment.</p> <h2 id="best-practices-checklist">Best practices checklist </h2><p>Here is a checklist to assess the security maturity of your CI/CD pipeline:</p> <ul> <li><input disabled="" type="checkbox"> <strong>Secret scanning</strong> runs on every PR and blocks merge on findings.</li> <li><input disabled="" type="checkbox"> <strong>Pre-commit hooks</strong> prevent secrets from being committed locally.</li> <li><input disabled="" type="checkbox"> <strong>SAST</strong> runs on every PR with rules covering OWASP Top 10.</li> <li><input disabled="" type="checkbox"> <strong>Dependency scanning</strong> runs on every PR and flags HIGH/CRITICAL CVEs.</li> <li><input disabled="" type="checkbox"> <strong>Container image scanning</strong> runs before pushing images to a registry.</li> <li><input disabled="" type="checkbox"> <strong>DAST</strong> runs against staging on every release (or nightly at minimum).</li> <li><input disabled="" type="checkbox"> <strong>Branch protection</strong> requires passing security checks before merge.</li> <li><input disabled="" type="checkbox"> <strong>Least privilege</strong> is enforced on CI runner permissions and secrets access.</li> <li><input disabled="" type="checkbox"> <strong>Signed commits</strong> and <strong>signed artifacts</strong> are enforced for production releases.</li> <li><input disabled="" type="checkbox"> <strong>Build logs</strong> are reviewed to ensure secrets are not leaked in output.</li> <li><input disabled="" type="checkbox"> <strong>Dependency pinning</strong> is used (exact versions, not ranges) to prevent supply chain attacks.</li> <li><input disabled="" type="checkbox"> <strong>Regular rotation</strong> of all CI/CD secrets and service account keys.</li> </ul> <h2 id="final-thoughts">Final thoughts </h2><p>Shift-left security isn&rsquo;t about buying a tool, it&rsquo;s about changing the culture. Security checks in CI/CD should be fast, automated, and non-negotiable. Start with secret scanning (highest ROI), add SAST, then layer in dependency scanning and DAST.</p> <p>The goal isn&rsquo;t to catch everything in the pipeline. The goal is to raise the bar high enough that obvious issues never reach production, freeing your security team to focus on the subtle, high-impact threats that require human judgment.</p>