CI/CD

CI/CD (Continuous Integration & Continuous Delivery) in security means automating build, test, and security scanning steps, so that security issues are detected early in the development lifecycle. Each code change is frequently and consistently integrated, tested, and security-scanned via a pipeline.

This prevents security vulnerabilities from accumulating and reaching production environments. Thanks to automation, the team receives quick feedback on new code (does the build work, do security tests pass, are there any vulnerabilities?) and ensures that security checks are consistently applied to all code changes.

Starting Points

• OWASP DevSecOps Pipeline
• What is DevSecOps?
• NIST Secure Software Development Framework (SSDF)

Key Points

• Setting up an automated build/test/security scanning pipeline (e.g., via GitHub Actions, GitLab CI) that runs for every push or merge request.
• A consistent, green security build: you monitor the pipeline results and promptly address any build errors, failing tests, or security findings.
• Regular delivery of security reports and metrics: for example, periodically sharing vulnerability scan results with the team/stakeholders (continuous security assurance), providing continuous insight into security posture and quality.
• Integration of multiple security tools in the pipeline, such as SAST (Static Application Security Testing), SCA (Software Composition Analysis), DAST (Dynamic Application Security Testing), and container scanning.