Quick Links & Suggestions
Press Enter to search site, Esc to exit
↑↓ Navigate

How do you implement security scanning in a GitHub Actions CI/CD pipeline?

Hard Topic: System Design May 24, 2026

A comprehensive security scanning pipeline:

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      # SAST — Static code analysis
      - uses: actions/checkout@v4
      - name: Run Semgrep
        uses: returntocorp/semgrep-action@v1

      # Dependency scanning
      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      # Container image scanning
      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .
      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp:${{ github.sha }}
          severity: CRITICAL,HIGH
          exit-code: 1

      # IaC scanning
      - name: Run tfsec
        uses: aquasecurity/tfsec-action@v1.0.0
← Previous What is a WAF and when should you... Next → What is Zero Trust Architecture and how does...

Practice Similar Questions

What is the difference between authentication and authorization?
Easy
What is Zero Trust Architecture and how does it apply...
Medium
What is a WAF and when should you use AWS...
Medium
Back to System Design Topics