Security scanning belongs inside the CI/CD pipeline, not bolted on quarterly. The key is matching scan depth to pipeline stage: fast static and dependency checks at pull request time, a thorough dynamic scan against staging after merge, and an automated severity-based gate before production. Done right, scanning speeds releases up by preventing emergency incident response.
- Fixing a vulnerability in production is estimated to cost 6 to 15 times more than fixing it during development
- Pipeline scanners must be API-first, fast, and return live results; cached data cannot tell you whether this specific build is safe
- Clear severity thresholds keep releases moving: critical and high findings block, medium and low generate tickets
The tension between development velocity and security rigor is one of the defining challenges of modern software engineering. Teams ship multiple times per day. Security reviews that take days or weeks are incompatible with this pace. The result, in too many organizations, is that security becomes an afterthought: a quarterly scan, an annual pentest, a box to check before a major release.
This approach fails. Vulnerabilities that reach production are exponentially more expensive to fix than those caught during development. The solution is not to slow down releases. It is to make security scanning part of the release process itself.
Why does traditional security scanning fail in CI/CD?
Most vulnerability scanners were designed for periodic assessments, not continuous integration. They have characteristics that make them poor fits for automated pipelines:
- Long scan times: Full vulnerability scans can take hours. No team will accept a two-hour gate in their deployment pipeline.
- Noisy results: High false positive rates mean developers spend time investigating non-issues, eroding trust in the scanning process.
- No API integration: Many scanners are designed around web dashboards, not programmatic access. They cannot be triggered by a CI job or return results in a machine-readable format.
- Cached results: Scanners that serve cached data are useless in a pipeline context, and cached vulnerability data carries risks well beyond the pipeline. You need to know whether this specific build, right now, has vulnerabilities.
How do you design a security-integrated pipeline?
The key principle is to match the depth of scanning to the stage of the pipeline. Not every check needs to be comprehensive. Speed matters in some stages. Thoroughness matters in others.
Stage 1: Pre-commit and pull request checks
At this stage, run fast, focused checks:
- Static analysis for common vulnerability patterns (SQL injection, XSS, command injection)
- Dependency vulnerability checks against known CVE databases
- Secret detection to prevent API keys and credentials from being committed
These checks should complete in seconds to low minutes. They catch the most obvious issues before code is merged.
Stage 2: Post-merge staging scan
After code is merged to the main branch and deployed to a staging environment, run a more thorough scan against the running application:
- Dynamic application security testing (DAST) against the staging URL
- Technology fingerprinting and CVE mapping
- SSL/TLS configuration verification
- Security header validation
This is where an API-driven scanner with live, non-cached results becomes essential. You need to scan the actual deployed application, not a cached representation of a previous version. If you are new to dynamic scanning, this walkthrough of how to scan a website for vulnerabilities covers what a modern scan should include.
Stage 3: Pre-production gate
Before promoting to production, evaluate the cumulative security findings:
- Are there any critical or high-severity findings from the staging scan?
- Have all dependency vulnerabilities been addressed or acknowledged?
- Is the SSL/TLS configuration production-ready?
- Are security headers properly configured?
This gate should be automated: pass/fail based on predefined severity thresholds. Critical findings block deployment. Low-severity findings generate tickets but do not block.
Which checks belong at each pipeline stage?
The full picture looks like this:
| Pipeline stage | What to check | Gate behavior |
|---|---|---|
| Pre-commit / pull request | Static analysis, dependency CVE checks, secret detection | Completes in seconds to low minutes; blocks merge on clear hits |
| Post-merge staging | DAST against the staging URL, technology fingerprinting with CVE mapping, SSL/TLS verification, security headers | Thorough live scan; findings feed the release gate |
| Pre-production gate | Cumulative findings evaluated against severity thresholds | Automated pass/fail; critical and high block deployment |
| Production | Scheduled rescans and continuous monitoring for new CVEs and configuration drift | Alerts and tickets, no deployment gate |
How do you make it work in practice?
Use API-first scanning tools
Your scanner must have a robust API that can be called from CI/CD tools like GitHub Actions, GitLab CI, or Jenkins. It should accept a target URL, initiate a scan, and return results in JSON format that your pipeline can parse.
OnScanner was designed as an API-first scanning engine. Its REST API and client libraries (Python and JavaScript) integrate directly into CI/CD workflows, and every scan runs live against your target rather than serving cached results. Trigger a scan, get live results, and make automated pass/fail decisions without ever opening a dashboard.
Define clear severity thresholds
Not every finding should block a deployment. Define clear policies:
- Critical: Block deployment. Fix immediately.
- High: Block deployment. Fix before next release.
- Medium: Create ticket. Fix within sprint.
- Low: Create ticket. Fix when convenient.
Document these thresholds and get buy-in from both security and engineering leadership. Ambiguity creates friction.
Minimize false positives
Nothing kills developer trust in security scanning faster than false positives. When developers learn that most scanner findings are noise, they stop paying attention to any findings, including the real ones.
Choose tools with low false positive rates. Validate critical findings with human review. And provide clear feedback loops so developers can flag false positives and improve the scanning configuration over time.
Keep manual testing in the program
Pipeline scanning does not replace human testing; it changes what human testing is for. Automated gates catch regressions and known vulnerability classes on every build, which frees a periodic manual penetration test to focus on business logic flaws, chained attack paths, and the creative abuse cases no automated check will find. The two layers are complementary, not interchangeable.
What is the business case?
The cost of fixing a vulnerability in production is estimated at 6 to 15 times the cost of fixing it during development. Beyond direct remediation costs, production vulnerabilities carry risks of data breaches, regulatory fines, and reputational damage.
Integrating security into your pipeline is not adding overhead. It is preventing the most expensive kind of security work: emergency incident response.
Security scanning in CI/CD is not about slowing down. It is about moving fast with confidence.
Frequently asked questions
Will security scanning slow down my deployment pipeline?
Not if you match scan depth to pipeline stage. Pull request checks should finish in seconds to low minutes, while thorough dynamic scans run against staging after merge, off the critical path. The pre-production gate then evaluates results that already exist rather than launching new scans. Teams that structure scanning this way ship at the same cadence with far fewer emergency fixes.
Should every vulnerability finding block a deployment?
No. Blocking on everything guarantees developers will route around the gate. Define severity thresholds up front: critical and high findings block deployment, medium findings become tickets fixed within the sprint, and low findings become tickets fixed when convenient. Document the policy, get engineering and security leadership to agree on it, and apply it automatically so no release needs a judgment call.
Does CI/CD scanning replace penetration testing?
No, they solve different problems. Automated pipeline scanning catches known vulnerability classes and regressions on every single build, something no human team can do. Manual penetration testing finds business logic flaws, chained attack paths, and novel abuse cases that automation misses. A mature program runs both: continuous scanning in the pipeline and periodic expert-led testing against the live application.
Comments
0 discussionsNo comments yet. Be the first to share your thoughts.