After this lesson, you will be able to: Integrate dependency, Docker image, and secret scanning into CI using npm audit / Snyk / Trivy / truffleHog.
Modern attackers exploit known CVEs in dependencies far more than novel zero-days. Scanning in CI is cheap, automated, and high-leverage.
1. Application dependencies (npm, pip, gem packages). 90% of supply-chain risk. 2. Container images (base OS + system packages). Outdated base images are the #1 source of CVEs in container deploys. 3. Source code itself (secrets accidentally committed, insecure patterns). Cover all three; missing any one is the gap an attacker exploits.
Free, built into GitHub.
# In CI: fail PR if Critical CVEs found- run: npm audit --audit-level=critical# Better: enable Dependabot (Settings > Code security)# It auto-opens PRs when dependencies have security updates.# Reviewing + merging Dependabot PRs is one of the highest-leverage habits.# Alternative: Snyk (more comprehensive; paid)- uses: snyk/actions/node@masterenv: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} }with:args: --severity-threshold=high
Open-source, fast, free. Runs in CI in seconds.
- uses: aquasecurity/trivy-action@masterwith:image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}format: sarifoutput: trivy-results.sarifseverity: CRITICAL,HIGHexit-code: '1' # fail the build on Critical / Highignore-unfixed: true # don't fail on CVEs with no fix yet- if: always()uses: github/codeql-action/upload-sarif@v3with:sarif_file: trivy-results.sarif# Results show up in GitHub's Security tab
Catches committed credentials before they leak publicly.
# GitHub Settings > Code security > Secret scanning + Push protection: ON# Free for public repos; included in GitHub Advanced Security for private.# Detects 200+ token types automatically.# truffleHog as a belt + suspenders:- uses: trufflesecurity/trufflehog@mainwith:path: ./base: ${{ github.event.repository.default_branch }}head: HEADextra_args: --debug --only-verified
Disabling Dependabot because the PRs are noisy. Tune severity thresholds + assign a rotating reviewer instead. `npm audit` with `--audit-level=low`. Fails on every CVE; team learns to ignore. Start at `critical` and tighten. Failing the build on transitive CVEs you can't fix. `ignore-unfixed: true` is the pragmatic default; track unfixed via Trivy SARIF in GitHub Security. Skipping secret-scanning push protection. The block-at-push behavior catches accidents before they're public. Pinning dependencies forever 'because changes are scary'. The longer you wait, the harder the upgrade. Apply Dependabot PRs weekly.
Pick the honest answer.
Sign in and purchase access to unlock this lesson.