Build a CI/CD pipeline that ships secure software automatically. Wire secret scanning, SAST, dependency and container scanning, and DAST into a real GitHub Actions pipeline, make them fail the build on the right findings, then harden the pipeline itself with least-privilege tokens, pinned actions, and OIDC.
Before you start
Comfort with CI/CD and containers helps — the GitHub and Docker courses are good prerequisites. Every example is a real GitHub Actions job you can drop into a repo.
Shift Left: The Secure Pipeline
DevSecOps is DevOps with security automated into every stage instead of bolted on at the end. See the anatomy of a secure pipeline, where each check belongs, and the one rule that makes it work: fast feedback.
Stop Secrets at the Door
Leaked credentials are one of the most common breach causes. Block them before they ever reach history with pre-commit hooks, then backstop with a CI scan and a plan for the secret that slips through.
SAST: Find Bugs in the Code
Static Application Security Testing reads your source for vulnerable patterns — injection, weak crypto, dangerous sinks — without running it. Wire Semgrep into CI, upload findings to code scanning, and tune the noise.
Scan Dependencies & Images
Most of your code is other people's code. Scan third-party dependencies (SCA) and container images for known CVEs on every build, fail on fixable highs, and keep the noise down with policy.
DAST: Attack the Running App
Dynamic Application Security Testing attacks a deployed app from the outside like a real attacker — finding auth, header, and injection issues SAST cannot see. Run an automated OWASP ZAP baseline scan against staging in CI.
Gates & Hardening the Pipeline
Assemble the stages into one enforced gate, then secure the pipeline itself — least-privilege tokens, pinned actions, and OIDC instead of long-lived cloud keys. The CI/CD system is now your highest-value target.