Are you scanning for security during CI?

Hey guys, I’m doing some research and trying to understand what type of security test people are doing on their code repo during CI. So, what do you do?

  1. I statically test the source code for known vulnerabilities

  2. I test for known vulnerabilities in open source dependencies

3) I test for known vulnerabilities in container images

4) I don’t have any automated security testing during CI

Please feel free to add any comment. Thanks in advance-MV.

@mviniciususa ,

Typically you can add some steps into the workflows to scan your code to detects bugs, vulnerabilities and code smells.

The steps can directly run some scripts for security scanning with a shell, or some actions to scan security.

You can try to search some related actions from the GitHub Marketplace (see here). Of course, you also can create a custom action according to your requests.