█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/DevOps and Infrastructure/CI/CD Pipelines/Security Scanning in CI
45 minIntermediate

Security Scanning in CI

After this lesson, you will be able to: Integrate dependency, Docker image, and secret scanning into CI using npm audit / Snyk / Trivy / truffleHog.

Modern attackers exploit known CVEs in dependencies far more than novel zero-days. Scanning in CI is cheap, automated, and high-leverage.

Prerequisites:Testing in CI

Three layers to scan

1. Application dependencies (npm, pip, gem packages). 90% of supply-chain risk. 2. Container images (base OS + system packages). Outdated base images are the #1 source of CVEs in container deploys. 3. Source code itself (secrets accidentally committed, insecure patterns). Cover all three; missing any one is the gap an attacker exploits.

Dependency scanning: npm audit + Dependabot

Free, built into GitHub.

tsx
# In CI: fail PR if Critical CVEs found
- run: npm audit --audit-level=critical
# Better: enable Dependabot (Settings > Code security)
# It auto-opens PRs when dependencies have security updates.
# Reviewing + merging Dependabot PRs is one of the highest-leverage habits.
# Alternative: Snyk (more comprehensive; paid)
- uses: snyk/actions/node@master
env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} }
with:
args: --severity-threshold=high

Container image scanning: Trivy

Open-source, fast, free. Runs in CI in seconds.

tsx
- uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
exit-code: '1' # fail the build on Critical / High
ignore-unfixed: true # don't fail on CVEs with no fix yet
- if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
# Results show up in GitHub's Security tab

Secret scanning: truffleHog + GitHub's built-in

Catches committed credentials before they leak publicly.

tsx
# GitHub Settings > Code security > Secret scanning + Push protection: ON
# Free for public repos; included in GitHub Advanced Security for private.
# Detects 200+ token types automatically.
# truffleHog as a belt + suspenders:
- uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: --debug --only-verified

💡 Rotate secrets that have been pushed, even if reverted

Git history is forever. If you accidentally pushed an AWS key, the key is compromised the moment the push hit GitHub. Revert + force-push DOES NOT fix it; the key was logged on GitHub servers and possibly scraped within seconds. Treatment: rotate immediately, audit logs for misuse, document in your incident log. Then learn to use git-secrets / Husky pre-commit hooks.

Common mistakes only experienced engineers avoid

Disabling Dependabot because the PRs are noisy. Tune severity thresholds + assign a rotating reviewer instead. `npm audit` with `--audit-level=low`. Fails on every CVE; team learns to ignore. Start at `critical` and tighten. Failing the build on transitive CVEs you can't fix. `ignore-unfixed: true` is the pragmatic default; track unfixed via Trivy SARIF in GitHub Security. Skipping secret-scanning push protection. The block-at-push behavior catches accidents before they're public. Pinning dependencies forever 'because changes are scary'. The longer you wait, the harder the upgrade. Apply Dependabot PRs weekly.

Quick Check

You accidentally committed an AWS key to a public repo. You revert + force-push within 60 seconds. Is the key safe?

Pick the honest answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Testing in CI
Back to CI/CD Pipelines
Deploy Strategies→