CI Pipeline Without Security Scanning
A CI/CD pipeline that only runs tests and linting without any SAST, DAST, dependency scanning, or secret detection means vulnerabilities are only found after deployment -- if they are found at all.
How It Works
Most CI pipelines include steps for building, testing, and linting code, but skip security-specific checks entirely. Without SAST (Static Application Security Testing), vulnerable code patterns like SQL injection or XSS go undetected. Without dependency scanning, known CVEs in third-party packages are not flagged. Without secret detection, API keys and passwords committed to the repository are not caught. Without DAST (Dynamic Application Security Testing), runtime vulnerabilities in deployed applications are missed. By the time these issues are discovered (if ever), they may have been in production for months, affecting real users and data.
# BAD: CI pipeline with no security scanning steps
name: CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm ci
- run: npm run lint
- run: npm test
- run: npm run build
# No SAST, no dependency audit, no secret scanning
# Vulnerabilities ship to production undetected# GOOD: CI pipeline with security scanning gates
name: CI
on: [push, pull_request]
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm ci
- run: npm run lint
- run: npm test
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Secret scanning
uses: trufflesecurity/trufflehog@main
- name: Dependency audit
run: npm audit --audit-level=high
- name: SAST scan
uses: returntocorp/semgrep-action@v1
with:
config: p/security-auditReal-World Example
The 2021 Log4Shell vulnerability (CVE-2021-44228) demonstrated the cost of missing dependency scanning in CI. Organizations that had automated dependency scanning in their pipelines were alerted within hours and could patch immediately. Organizations without it spent days or weeks manually auditing which services were affected. Similarly, the ua-parser-js supply chain attack in 2021 went undetected in pipelines that lacked dependency scanning.
How to Prevent It
- Add a SAST step using Semgrep, CodeQL, or SonarQube to detect vulnerable code patterns before they reach production
- Include npm audit, pip-audit, or Snyk to scan dependencies for known CVEs and fail the build on high-severity findings
- Add secret detection with trufflehog or gitleaks to prevent accidental credential commits
- Configure security scanning as a required status check in branch protection so PRs cannot merge with unfixed high-severity findings
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Unpinned GitHub Actions
highUsing GitHub Actions referenced by mutable tags like @main or @v3 instead of full commit SHAs means a compromised or hijacked action can inject malicious code into your CI pipeline without any change to your workflow file.
GitHub Actions Script Injection
criticalUsing untrusted event data like github.event.issue.title directly inside run: blocks allows attackers to inject arbitrary shell commands into your CI pipeline by crafting malicious issue titles, PR bodies, or commit messages.
Secrets Leaked in CI Logs
highPrinting or echoing environment variables containing secrets in CI scripts exposes them in build logs, which are often accessible to all repository collaborators and sometimes publicly visible on open-source projects.
Self-Hosted Runner Risks
highUsing self-hosted GitHub Actions runners with pull_request_target or public fork workflows allows untrusted code from external contributors to execute on your infrastructure with access to secrets, persisted state, and the host network.