IntermediateLesson 7 of 10

Integration with CI/CD

Integrate GHAS security checks into CI/CD so vulnerable code cannot be merged or deployed unnoticed.

Simple Explanation (ELI5)

CI/CD integration means every code change must pass security checks automatically before it can move forward.

Technical Explanation

Security in CI/CD requires workflow orchestration: scans on PR, policy checks on main, scheduled deep scans, and deployment gates based on severity thresholds. Branch protection enforces compliance.

Visual Section

→

Code + Secret Scan

→

Policy Gate

→

Merge/Block

Hands-on Commands

yaml

name: security-gate
on:
  pull_request:
    branches: ["main"]
jobs:
  codeql:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript
      - uses: github/codeql-action/analyze@v3

  dependency-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npm audit --audit-level=high

Debugging Scenarios

Gate not blocking merges: Required status checks not mapped correctly.
Fork PR cannot access secrets: Use safe patterns; avoid exposing secrets to untrusted contexts.
Pipeline unstable: Split scan jobs and isolate flaky dependencies.
Security checks bypassed via admin merge: Restrict bypass permissions and audit events.

Real-world Use Case

A CI security gate blocked a high-severity vulnerable dependency in a release PR, preventing deployment of exploitable code to production.

Interview Questions

Beginner

What is a CI/CD security gate?▾

Automated check that must pass before merge/deploy.

Why run scans on PRs?▾

To catch issues before they reach main.

What enforces required checks?▾

Branch protection rules.

Can CI/CD replace secure coding?▾

No, it enforces and verifies but coding practices still matter.

What is least privilege in workflows?▾

Granting minimal token permissions required by each job.

Intermediate

How handle long-running scans?▾

Fast PR scans plus scheduled full scans.

How secure secrets in Actions?▾

Use encrypted secrets and avoid exposing on untrusted events.

How tune policy threshold?▾

Block high/critical in PR, track medium via SLA.

How prevent policy drift across repos?▾

Reusable workflows and org-level governance templates.

How monitor gate effectiveness?▾

Track blocked merges, false positives, and post-merge incidents.

Scenario-based

Critical vulnerability discovered after merge despite CI.▾

Review coverage gaps, add missing rule, and backfill scans.

Team disables gate to hit deadline.▾

Use exception process with approval and time-bound remediation.

Monorepo security checks too expensive.▾

Use path-based workflows and targeted scans per service.

How enforce same controls across 300 repos?▾

Org-level reusable workflows and policy-as-code.

Security scan fails only on default branch.▾

Compare branch-specific workflow conditions and environment settings.

Summary

CI/CD integration is where GHAS becomes enforceable: security findings become merge decisions, not optional reports.

PreviousSecurity Alerts & Fixing ← Back to Course NextReal-world Scenarios