Secrets Management, Dependencies, and Security in CI/CDLesson 6.4
Security scanning in CI/CD: SAST, DAST, and secret scanning
SAST vs DAST, static analysis tools, ESLint security plugin, Semgrep, secret scanning with git-secrets, OWASP ZAP for DAST, GitHub Actions security workflow, shift-left security
Security Scanning in CI/CD
Shift-left means moving security checks earlier in the development lifecycle—catching vulnerabilities in CI before they reach production, not after.
SAST: Static Application Security Testing
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: p/nodejs
- name: ESLint Security Plugin
run: |
npm install eslint eslint-plugin-security
npx eslint --plugin security --rule 'security/detect-object-injection: warn' src/Secret Scanning
- name: Scan for secrets with git-secrets / Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}DAST: Dynamic Testing
DAST runs against a live application. OWASP ZAP can spider your app and run automated vulnerability checks. Run it in CI against a staging environment:
- name: OWASP ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.9.0
with:
target: 'https://staging.yourapp.com'Dependency Checking
- name: npm audit
run: npm audit --audit-level=high