Integrating Security Scanning into Your CI/CD Pipeline

2 minute
371 words
Tags:
#kubernetes #cicd #devsecops #scanning

Shifting security left means catching vulnerabilities before they reach production. Here’s how to build a comprehensive security scanning pipeline.

The Security Pipeline

PLAINTEXT
Code → SAST → Build → Image Scan → Manifest Scan → Deploy → Runtime
Click to expand and view more

Static Application Security Testing (SAST)

Scan source code for vulnerabilities:

YAML
# GitHub Actions example
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1
  with:
    config: >-
      p/security-audit
      p/secrets
Click to expand and view more

Secret Detection

YAML
- name: Detect secrets
  uses: gitleaks/gitleaks-action@v2
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Click to expand and view more

Container Image Scanning

Trivy in CI

YAML
- name: Scan image
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'
Click to expand and view more

Grype Alternative

YAML
- name: Scan with Grype
  uses: anchore/scan-action@v3
  with:
    image: '${{ env.IMAGE }}'
    fail-build: true
    severity-cutoff: high
Click to expand and view more

Kubernetes Manifest Scanning

Kubesec

YAML
- name: Scan manifests
  run: |
    kubesec scan deployment.yaml
    if [ $? -ne 0 ]; then exit 1; fi
Click to expand and view more

Checkov

YAML
- name: Run Checkov
  uses: bridgecrewio/checkov-action@master
  with:
    directory: ./kubernetes
    framework: kubernetes
    soft_fail: false
Click to expand and view more

Kube-linter

YAML
- name: Lint Kubernetes manifests
  uses: stackrox/kube-linter-action@v1
  with:
    directory: ./manifests
Click to expand and view more

Infrastructure as Code Scanning

YAML
- name: Scan Terraform
  uses: aquasecurity/tfsec-action@v1.0.0
  with:
    soft_fail: true
Click to expand and view more

Complete Pipeline Example

YAML
name: Security Pipeline

on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Secret detection
        uses: gitleaks/gitleaks-action@v2

      - name: SAST scan
        uses: returntocorp/semgrep-action@v1

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Scan image
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

      - name: Scan manifests
        uses: stackrox/kube-linter-action@v1

      - name: Sign image
        run: cosign sign --key cosign.key myapp:${{ github.sha }}
Click to expand and view more

Governance

Security scanning in CI/CD catches issues before they become incidents.

Related Posts

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut