We are going to advance by adding more feature to our previous project to make it even more realistic Secrets scanning → dependency scanning → fail on high/critical → Dockerize app → container image scanning → send critical findings to your SOC workflow through Shuffle/TheHive
GitHub Actions workflows are YAML files that automate build, test, and security steps in sequence, so we'll keep extending the same pipeline rather than starting over.
git checkout -b advanced-devsecopsNow we are Creating a new branch and switches you into it. Think of a branch like a separate copy/work area for testing new changes.git push -u origin advanced-devsecopsUploads that new branch to GitHub so it is saved there to
git checkout -b advanced-devsecops
git push -u origin advanced-devsecops
Create a test secret file so the pipeline has something to catch during secrets scanning.
A secrets scanner looks for things like:
- API keys
- passwords
- tokens
We first add a fake secret on purpose so later you can clearly see the scanner working.
- right-click secure-cicd-project
- click New File
- name it:
secrets_test.pyThen paste:
API_KEY = "sk-test-1234567890abcdef"
PASSWORD = "admin123"
Now we will add a secrets scanning tool to the pipeline.
Open this file:
.github/workflows/ci.yml
Add this block below the Semgrep step:
- name: Run Gitleaks Scan
uses: gitleaks/gitleaks-action@v2
Now push this change so GitHub runs the new Gitleaks secrets scan.
Why we are doing this: The workflow file changed, so GitHub will not test it until you commit and push.
git add .
git commit -m "Added Gitleaks secrets scanning"
git push
Do this now (in VS Code)Since we are not able to find the advanced-devsecops let's ttroubleshoot by doing below steps
- Open:
.github/workflows/ci.yml- At the top you will see something like:
on:
push:
branches: [ "main" ]- Change it to:
on:
push:
branches: [ "main", "advanced-devsecops" ]
- In the big black editor area on the right, type exactly:
.github/secrets_test.py
print("No test secrets here")Run these in the VS Code terminal, one by one:
git add .github/secrets_test.py
git commit -m "Remove test secret after Gitleaks validation"
git pushNow we will add Dependency vulnerability scanning
Open this file in VS Code:
.github/workflows/ci.ymlAdd this block below the Gitleaks step:
- name: Run pip-audit
run: |
pip install pip-audit
pip-audit
Next step is to add Docker
So why add Docker?
Because it makes the project more advanced and more industry-like.
In simple words:
- Without Docker you are securing the code and app
- With Docker you are also securing the deployment package/container
Before this install docker desktop from the app store
In Vs code save a file name docker in folder secure -CICD-project Click New File
- Name it exactly:
DockerfileStep 2: add the Docker instructions.
Paste this into Dockerfile:
FROM python:3.13-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY app.py .
EXPOSE 5000
CMD ["python", "app.py"]Then save the file.
- Open
requirements.txt - Make sure it contains exactly this one line:
flaskRun this in the VS Code terminal:
docker build --no-cache -t secure-cicd-app .
docker run -p 5000:5000 secure-cicd-app- Open your browser
- Go to:
http://127.0.0.1:5000- Then open:
http://127.0.0.1:5000/login
We now move to container image scanning.
Why: Now that the app is inside a Docker image, we should also scan the image for vulnerabilities.
Meaning in short:
- image scanning = checking the Docker image for insecure packages and known CVEs
Open this file in VS Code:
.github/workflows/ci.ymlAdd this block below the Run pip-audit step:
- name: Build Docker image
run: docker build -t secure-cicd-app .
- name: Scan Docker image with Trivy
uses: aquasecurity/trivy-action@0.35.0
with:
image-ref: secure-cicd-app
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: os,library
severity: HIGH,CRITICAL
git add .github/workflows/ci.yml
git commit -m "Fix Trivy action version"
git pushNow go to GitHub → Actions and open the latest run.
Then:
- Click build-and-test
- Look for these two new steps:
- Build Docker image
- Scan Docker image with Trivy
Then look for these two steps:
- Build Docker image
- Scan Docker image with Trivy
Each layer gets its own SHA-256 fingerprint example:your thumbprint identifies you
- vulnerability scanning is enabled → Trivy is checking for security issues
- secret scanning is enabled → it can also look for secrets
- Detected OS family="debian" version="13.4" → your Docker image is based on Debian 13.4
- [debian] Detecting vulnerabilities → checking OS packages
- [python-pkg] Detecting vulnerabilities → checking Python libraries inside the image
the advanced Secure CI/CD project is basically finished and the pipeline integrates.
we used
- GitHub Actions CI pipeline
- Syntax/code validation
- Semgrep for SAST
- OWASP ZAP for DAST
- Gitleaks for secrets scanning
- pip-audit for dependency vulnerability scanning
- Dockerized Flask app
- Trivy container image scanning
This project shows how DevSecOps controls can be embedded directly into the software delivery process to improve secure development and reduce security risks before deployment.
Benefits
It helps detect:
- insecure code
- exposed secrets
- vulnerable dependencies
- runtime web vulnerabilities
- container image risks
This project made me understand how security is added at each stage of development instead of checking only at the end also to secure the full software delivery lifecycle by embedding automated security checks into a CI/CD pipeline using modern DevSecOps tools.
It helps you understand how real companies automate secure coding checks, vulnerability management, and deployment security inside CI/CD pipelines.
I am still gonna advance it my by integrating with the SOC automation lab project !!(since through project we can also explore ourselves we are capable to do it and everything can be learnt through time and patience)