GitHub SecOps: DevSecOps Pipeline

A robust DevSecOps pipeline in GitHub Actions integrates security at every stage of your CI/CD process. Below is a practical example covering secrets detection, SAST, SCA, container scanning, DAST, and system auditing.

name: DevSecOps Pipeline

on:
  push:
    branches:
      - main

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      # Checkout code
      - name: Checkout code
        uses: actions/checkout@v4

      # Secret scanning (GitGuardian or truffleHog recommended)
      - name: Secret Scan (truffleHog)
        uses: trufflesecurity/trufflehog@v3
        with:
          scan: true

      # Static Application Security Testing (SAST) with SonarCloud
      - name: SAST (SonarCloud)
        uses: SonarSource/sonarcloud-github-action@v2
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          projectKey: ${{ secrets.SONAR_PROJECT_KEY }}

      # Software Composition Analysis (SCA) with OWASP Dependency-Check
      - name: SCA (OWASP Dependency-Check)
        uses: dependency-check/Dependency-Check_Action@v3
        with:
          project: my-app
          format: 'HTML'
          out: 'reports'

      # Container image scanning with Trivy
      - name: Container Scan (Trivy)
        uses: aquasecurity/trivy-action@v0.14.0
        with:
          image-ref: 'myorg/myimage:latest'

      # Dynamic Application Security Testing (DAST) with OWASP ZAP
      - name: DAST (OWASP ZAP)
        uses: zaproxy/action-full-scan@v0.7.0
        with:
          target: 'https://your-app-url.com'

      # System Security Audit (Lynis)
      - name: System Security Audit (Lynis)
        uses: docker://cisagov/lynis
        with:
          args: audit system

      # Optional: Bug tracking integration (e.g., Jira, GitHub Issues)
      # - name: Create Issue on Failure
      #   uses: actions/github-script@v7
      #   if: failure()
      #   with:
      #     script: |
      #       // Create an issue or notify on failure

Pipeline Stages Explained:

  • Secret Scanning: Detects hardcoded secrets using truffleHog or GitGuardian.

  • SAST: Analyzes code for vulnerabilities before deployment (SonarCloud).

  • SCA: Checks dependencies for known vulnerabilities (OWASP Dependency-Check).

  • Container Scanning: Scans Docker images for vulnerabilities (Trivy).

  • DAST: Tests running applications for security issues (OWASP ZAP).

  • System Audit: Runs a system-level security audit (Lynis).

  • Bug Tracking: Optionally create issues for failed security checks.

Best Practices

References


Tip: Integrate this pipeline with your existing CI/CD workflows for continuous, automated security coverage across your DevOps lifecycle.

Last updated