GitHub SecOps: DevSecOps Pipeline
A robust DevSecOps pipeline in GitHub Actions integrates security at every stage of your CI/CD process. Below is a practical example covering secrets detection, SAST, SCA, container scanning, DAST, and system auditing.
name: DevSecOps Pipeline
on:
push:
branches:
- main
jobs:
security:
runs-on: ubuntu-latest
steps:
# Checkout code
- name: Checkout code
uses: actions/checkout@v4
# Secret scanning (GitGuardian or truffleHog recommended)
- name: Secret Scan (truffleHog)
uses: trufflesecurity/trufflehog@v3
with:
scan: true
# Static Application Security Testing (SAST) with SonarCloud
- name: SAST (SonarCloud)
uses: SonarSource/sonarcloud-github-action@v2
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
projectKey: ${{ secrets.SONAR_PROJECT_KEY }}
# Software Composition Analysis (SCA) with OWASP Dependency-Check
- name: SCA (OWASP Dependency-Check)
uses: dependency-check/Dependency-Check_Action@v3
with:
project: my-app
format: 'HTML'
out: 'reports'
# Container image scanning with Trivy
- name: Container Scan (Trivy)
uses: aquasecurity/trivy-action@v0.14.0
with:
image-ref: 'myorg/myimage:latest'
# Dynamic Application Security Testing (DAST) with OWASP ZAP
- name: DAST (OWASP ZAP)
uses: zaproxy/action-full-scan@v0.7.0
with:
target: 'https://your-app-url.com'
# System Security Audit (Lynis)
- name: System Security Audit (Lynis)
uses: docker://cisagov/lynis
with:
args: audit system
# Optional: Bug tracking integration (e.g., Jira, GitHub Issues)
# - name: Create Issue on Failure
# uses: actions/github-script@v7
# if: failure()
# with:
# script: |
# // Create an issue or notify on failure
Pipeline Stages Explained:
Secret Scanning: Detects hardcoded secrets using truffleHog or GitGuardian.
SAST: Analyzes code for vulnerabilities before deployment (SonarCloud).
SCA: Checks dependencies for known vulnerabilities (OWASP Dependency-Check).
Container Scanning: Scans Docker images for vulnerabilities (Trivy).
DAST: Tests running applications for security issues (OWASP ZAP).
System Audit: Runs a system-level security audit (Lynis).
Bug Tracking: Optionally create issues for failed security checks.
Best Practices
Store all tokens and credentials in GitHub Secrets.
Use branch protection rules to enforce security checks before merging.
Regularly update action versions to include the latest security patches.
Review GitHub Advanced Security for built-in secret scanning and code scanning.
References
Tip: Integrate this pipeline with your existing CI/CD workflows for continuous, automated security coverage across your DevOps lifecycle.
Last updated