DevSecOps Pipeline: Integrating Security into Every Stage of CI/CD
How to integrate SAST, DAST, SCA, secrets scanning, and IaC scanning into your CI/CD pipeline without slowing down deployments.
DevSecOps Pipeline: Integrating Security into Every Stage of CI/CD
The promise of DevSecOps is not to make security a blocker — it is to make insecure software impossible to deploy by default. When security checks are baked into every pull request, build, and deployment, vulnerabilities are caught where they are cheapest to fix: before they ever reach production.
This guide walks through the full spectrum of automated security gates you should integrate into your CI/CD pipeline and how to tune each one to minimize noise while maximizing signal.
Why "Shift Left" Matters
The cost of fixing a vulnerability found in code review is roughly 6x cheaper than fixing the same issue found in QA, and 100x cheaper than fixing it after production deployment. Shifting security left means moving checks earlier in the development lifecycle — ideally to the IDE and the pull request stage, not the staging environment.
The challenge is that security tools have historically been slow, noisy, and difficult to integrate. Modern tooling has largely solved this. The goal is a pipeline where:
- Fast checks (SAST, secrets, dependency audit) run on every pull request in under 5 minutes
- Deeper checks (DAST, container scanning, IaC) run on merge to main or pre-deployment
- Critical findings block the pipeline; medium findings create tickets but do not block
Stage 1: Pre-Commit Hooks
Before code reaches CI, local hooks catch the most obvious issues immediately.
Secrets detection is the highest-value pre-commit check. Tools like detect-secrets, gitleaks, and trufflehog scan staged changes for API keys, tokens, and credentials.
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
Install and activate:
pip install pre-commit
pre-commit install
Pre-commit hooks are advisory — developers can bypass them with --no-verify. The CI pipeline must enforce the same checks as a hard gate.
Stage 2: SAST — Static Application Security Testing
SAST analyzes source code without executing it, identifying patterns associated with security vulnerabilities.
Semgrep is the leading open-source SAST tool. It uses a YAML rule syntax that is readable and extensible, and ships with rulesets for OWASP Top 10, CWE, and framework-specific issues.
# .github/workflows/sast.yml
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/owasp-top-ten
p/nodejs
p/typescript
CodeQL (GitHub Advanced Security) performs deeper semantic analysis and can find complex multi-step vulnerabilities that pattern-matching tools miss. It is slower but appropriate for merge-to-main gates.
Tuning tips:
- Start with high-confidence rules only. False positives kill developer trust in security tools.
- Use
.semgrepignoreto suppress findings in test files, generated code, and known-safe patterns. - Track findings in a security backlog rather than overwhelming developers with hundreds of issues on day one.
Stage 3: SCA — Software Composition Analysis
Most application code is open-source dependencies. SCA tools identify known vulnerabilities (CVEs) in your dependency tree.
Dependabot (GitHub native) and Snyk create automated pull requests when vulnerabilities are found in package.json, requirements.txt, go.mod, and other manifest files.
For a CI gate, npm audit (for Node.js) or pip-audit (for Python) provides fast feedback:
# Fail the build on high-severity vulnerabilities
npm audit --audit-level=high
For richer analysis with license compliance and reachability analysis:
snyk test --severity-threshold=high --fail-on=upgradable
Reachability analysis — determining whether a vulnerable function is actually called in your code — dramatically reduces false positives. Snyk and Semgrep both offer this for some ecosystems.
Stage 4: Secrets Scanning in CI
Even with pre-commit hooks, secrets can slip through via history rewriting, copy-paste, or bypassed hooks. CI-level secrets scanning is the safety net.
# GitHub Actions
- name: TruffleHog Secrets Scan
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --only-verified
Response when a secret is found: Revoke the credential immediately — assume it has already been exfiltrated. Do not just delete the commit; the secret is in git history and must be rotated regardless.
Stage 5: Container Image Scanning
Before pushing a container image to a registry, scan it for OS-level CVEs and misconfigurations.
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Scan with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: sarif
output: trivy-results.sarif
severity: HIGH,CRITICAL
exit-code: 1
Upload results to GitHub Security tab via SARIF for developer visibility without leaving the PR.
Stage 6: IaC Scanning — Infrastructure as Code
Terraform, CloudFormation, and Kubernetes manifests encode your infrastructure configuration. Misconfigurations here become production vulnerabilities.
Checkov (open-source, Bridgecrew/Prisma Cloud) and tfsec are the leading tools.
checkov -d ./terraform --framework terraform --check CKV_AWS_*
Key checks Checkov performs:
- S3 buckets with public access enabled
- Security groups open to
0.0.0.0/0on sensitive ports - Unencrypted EBS volumes and RDS instances
- IAM policies with wildcard permissions
- CloudTrail logging disabled
Integrate into CI to fail on HIGH and CRITICAL findings:
- name: Run Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
soft_fail: false
check: CKV_AWS_*,CKV_K8S_*
Stage 7: DAST — Dynamic Application Security Testing
DAST tests the running application by sending attack payloads. It catches runtime vulnerabilities that SAST misses — like authentication bypasses, injection flaws in dynamic query builders, and business logic issues.
DAST is slower and requires a deployed environment, so it typically runs against a staging environment after merge to main.
OWASP ZAP in "baseline" mode runs a fast passive scan suitable for CI:
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.10.0
with:
target: https://staging.myapp.com
rules_file_name: zap-rules.tsv
fail_action: warn
For deeper active scanning, trigger a ZAP full scan nightly against staging.
Assembling the Full Pipeline
PR opened
├── Gitleaks (secrets) [block on any finding]
├── Semgrep SAST [block on HIGH+]
└── npm audit / pip-audit [block on HIGH+]
Merge to main
├── CodeQL analysis [block on HIGH+]
├── Trivy container scan [block on CRITICAL]
├── Checkov IaC scan [block on HIGH+]
└── Snyk SCA (full tree) [block on upgradable HIGH+]
Deploy to staging
└── ZAP DAST baseline [alert on findings]
Nightly
└── ZAP full active scan [create tickets]
Managing Alert Fatigue
The biggest failure mode for DevSecOps pipelines is noise. If every build triggers 40 findings, developers learn to dismiss them.
- Establish a baseline. On day one, scan your repo and create tickets for all existing findings. Mark them as "known" so future scans only alert on new issues.
- Tune thresholds. Block only on HIGH and CRITICAL. Medium findings go to a security backlog.
- Review and prune rules. Disable rules with high false-positive rates for your stack.
- Measure and report. Track mean time to remediation per severity tier. Make the metric visible to the team.
DevSecOps works when security is treated as a quality metric, not a compliance checkbox. Automated gates catch the common cases; security reviews and threat modeling catch the rest.