Back to Blog
DevSecOps

How to Integrate Security Scanning into Your CI/CD Pipeline

SecuraProbe TeamDecember 20, 20258 min read

Why Security Scanning in CI/CD?

Integrating security scanning into your CI/CD pipeline is the foundation of DevSecOps. By catching vulnerabilities early in the development cycle, you can:

  • Reduce remediation costs by 90% (fixing in dev vs production)
  • Prevent vulnerable code from reaching production
  • Maintain development velocity without sacrificing security
  • Create security gates that block risky deployments

GitHub Actions Integration

Here's how to add SecuraProbe security scanning to your GitHub Actions workflow:

name: Security Scan

on:
  pull_request:
    branches: [main, develop]
  push:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      
      - name: Build application
        run: npm run build
      
      - name: Start preview environment
        run: |
          npm run start &
          sleep 30  # Wait for app to start
      
      - name: Run SecuraProbe Scan
        uses: securaprobe/action@v1
        with:
          target: ${{ secrets.PREVIEW_URL }}
          api-key: ${{ secrets.SECURAPROBE_API_KEY }}
          fail-on: high
      
      - name: Upload scan results
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: security-report
          path: securaprobe-report.json

Pro Tip: Use environment-specific URLs for preview deployments. Services like Vercel, Netlify, and GitHub Pages provide preview URLs automatically.

GitLab CI Integration

Add security scanning to your .gitlab-ci.yml:

stages:
  - build
  - test
  - security
  - deploy

security_scan:
  stage: security
  image: node:18
  script:
    - npm install -g @securaprobe/cli
    - securaprobe scan \
        --target $CI_PAGES_URL \
        --api-key $SECURAPROBE_API_KEY \
        --fail-on high \
        --format json \
        --output report.json
  artifacts:
    reports:
      security: report.json
    paths:
      - report.json
    expire_in: 1 week
  only:
    - merge_requests
    - main

Jenkins Integration

For Jenkins pipelines, add a security stage:

pipeline {
    agent any
    
    stages {
        stage('Build') {
            steps {
                sh 'npm install'
                sh 'npm run build'
            }
        }
        
        stage('Security Scan') {
            steps {
                sh '''
                    npm install -g @securaprobe/cli
                    securaprobe scan \
                        --target $STAGING_URL \
                        --api-key $SECURAPROBE_API_KEY \
                        --fail-on critical
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'securaprobe-report.json'
                    publishHTML([
                        reportName: 'Security Report',
                        reportDir: '.',
                        reportFiles: 'securaprobe-report.html',
                        keepAll: true
                    ])
                }
            }
        }
        
        stage('Deploy') {
            when {
                not { equals expected: 1, actual: currentBuild.result }
            }
            steps {
                sh 'npm run deploy'
            }
        }
    }
}

Security Gates and Fail Conditions

Configure your pipeline to fail when critical vulnerabilities are found:

Recommended Fail Conditions

  • Critical vulnerabilities: Always fail the build
  • High vulnerabilities: Fail on main branch, warn on feature branches
  • Medium/Low: Report but don't block deployment

Best Practices

Scan Preview Environments

Scan preview/staging environments rather than production. This catches issues before deployment.

Parallel Execution

Run security scans in parallel with other tests to avoid slowing down your pipeline.

Store Results

Archive scan reports as artifacts for compliance and historical tracking.

Notify Teams

Integrate with Slack, Microsoft Teams, or email to notify developers of security findings.

Example: Complete GitHub Actions Workflow

name: CI/CD with Security

on:
  pull_request:
  push:
    branches: [main]

jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      - run: npm ci
      - run: npm test
      - run: npm run build

  security-scan:
    needs: build-and-test
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to preview
        run: |
          # Deploy to preview environment
          npm run deploy:preview
      
      - name: Wait for deployment
        run: sleep 60
      
      - name: Security scan with SecuraProbe
        uses: securaprobe/action@v1
        with:
          target: ${{ secrets.PREVIEW_URL }}
          api-key: ${{ secrets.SECURAPROBE_API_KEY }}
          fail-on: high
          format: json
      
      - name: Comment PR with results
        uses: actions/github-script@v6
        if: github.event_name == 'pull_request'
        with:
          script: |
            const fs = require('fs');
            const report = JSON.parse(fs.readFileSync('securaprobe-report.json'));
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## Security Scan Results\n\nFound ${report.vulnerabilities.length} vulnerabilities`
            });

  deploy:
    needs: [build-and-test, security-scan]
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to production
        run: npm run deploy:production

Start Scanning in Your CI/CD Pipeline

Integrate SecuraProbe into your GitHub Actions, GitLab CI, or Jenkins pipeline today.

Start Free Trial

🎁 Free 1 token when you sign up with GitHub or Google