DevSecOps Pipeline Security

By CyberUF Team • July 2025 • Estimated read: 8 min

1. Static Analysis (SAST)

SAST tools analyze code before it runs to detect vulnerabilities early.


name: CodeQL SAST
on: [push]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: github/codeql-action/init@v2
        with:
          languages: javascript
      - uses: github/codeql-action/analyze@v2

2. Dynamic Analysis (DAST)

DAST checks your running application for runtime vulnerabilities.


zap-cli start
zap-cli open-url http://localhost:3000
zap-cli quick-scan http://localhost:3000
zap-cli report -o report.html -f html

3. Secrets Scanning

Scan commits for secrets using tools like Gitleaks.


gitleaks detect --source . --report-format json --report-path secrets.json

4. Container Image Security

Scan Docker images using Trivy for vulnerabilities.


trivy image node:16

5. SBOM Generation

Generate Software Bill of Materials using Syft.


syft your-app-image:latest -o json > sbom.json

Recent Posts

Cloud Misconfigurations in 2025

Common security issues in AWS, Azure, and GCP.

Read More →

Subdomain Scanner

Discover hidden subdomains using OSINT techniques.

Read More →

Advanced Red Team Recon

Stealthy recon methods for red teamers.

Read More →