GitHub SecOps: DevSecOps Pipeline

A robust DevSecOps pipeline in GitHub Actions integrates security at every stage of your CI/CD process. Below is a practical example covering secrets detection, SAST, SCA, container scanning, DAST, and system auditing.

name: DevSecOps Pipeline

on:
  push:
    branches:
      - main

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      # Checkout code
      - name: Checkout code
        uses: actions/checkout@v4

      # Secret scanning (GitGuardian or truffleHog recommended)
      - name: Secret Scan (truffleHog)
        uses: trufflesecurity/trufflehog@v3
        with:
          scan: true

      # Static Application Security Testing (SAST) with SonarCloud
      - name: SAST (SonarCloud)
        uses: SonarSource/sonarcloud-github-action@v2
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          projectKey: ${{ secrets.SONAR_PROJECT_KEY }}

      # Software Composition Analysis (SCA) with OWASP Dependency-Check
      - name: SCA (OWASP Dependency-Check)
        uses: dependency-check/Dependency-Check_Action@v3
        with:
          project: my-app
          format: 'HTML'
          out: 'reports'

      # Container image scanning with Trivy
      - name: Container Scan (Trivy)
        uses: aquasecurity/trivy-action@v0.14.0
        with:
          image-ref: 'myorg/myimage:latest'

      # Dynamic Application Security Testing (DAST) with OWASP ZAP
      - name: DAST (OWASP ZAP)
        uses: zaproxy/action-full-scan@v0.7.0
        with:
          target: 'https://your-app-url.com'

      # System Security Audit (Lynis)
      - name: System Security Audit (Lynis)
        uses: docker://cisagov/lynis
        with:
          args: audit system

      # Optional: Bug tracking integration (e.g., Jira, GitHub Issues)
      # - name: Create Issue on Failure
      #   uses: actions/github-script@v7
      #   if: failure()
      #   with:
      #     script: |
      #       // Create an issue or notify on failure

Pipeline Stages Explained:

• Secret Scanning: Detects hardcoded secrets using truffleHog or GitGuardian.

• SAST: Analyzes code for vulnerabilities before deployment (SonarCloud).

• SCA: Checks dependencies for known vulnerabilities (OWASP Dependency-Check).

• Container Scanning: Scans Docker images for vulnerabilities (Trivy).

• DAST: Tests running applications for security issues (OWASP ZAP).

• System Audit: Runs a system-level security audit (Lynis).

• Bug Tracking: Optionally create issues for failed security checks.

Best Practices

• Store all tokens and credentials in GitHub Secrets.

• Use branch protection rules to enforce security checks before merging.

• Regularly update action versions to include the latest security patches.

• Review GitHub Advanced Security for built-in secret scanning and code scanning.

References

• GitHub Actions Security

• truffleHog

• SonarCloud GitHub Action

• OWASP Dependency-Check

• Trivy

• OWASP ZAP

• Lynis

---

Tip: Integrate this pipeline with your existing CI/CD workflows for continuous, automated security coverage across your DevOps lifecycle.