Automated Security Scanning

Foundation

Phase: build

Quick Reference

Phase

build

Epic

CI/CD & Build Automation

Milestone

Foundation

Target

100% builds scanned, HIGH+ blocks merge

Implementation Time

Part of CI/CD & Build Automation epic: 3.5 weeks (23 hours per capability avg)

What & Why

Definition

100% of builds run SAST (code scan) and SCA (dependency scan) with >= HIGH severity blocking merge.

Business Value

Reduces manual build time from 2 hours to 10 minutes and enables 3-5x more frequent integration testing through automated pipeline execution Achieving 100% builds scanned, HIGH+ blocks merge is a key milestone toward this goal.

Context

This capability is part of the Foundation milestone's focus on establish baseline practices (testable, releasable, monitorable). Essential for teams targeting DF, LT improvements.

Success Criteria

Target

100% builds scanned, HIGH+ blocks merge

Measurement

Build failure rate due to security issues

Evidence

Scanner config (Semgrep, Trivy)
Security gate policy
Vulnerability remediation metrics

In Practice

Real-World Implementation

CI pipeline runs Semgrep for code issues, Trivy for dependency CVEs. HIGH or CRITICAL vulnerabilities fail build, require fix before merge.

Concrete Example

PR #678 build: Trivy finds CVE-2023-12345 (CRITICAL) in lodash 4.17.15. Build fails. Developer updates to 4.17.21, rebuild passes.

Implementation Guide

Prerequisites

CI Pipeline Template

>= 90% repos use CI template

Implementation Steps

Follow the measurement approach: Build failure rate due to security issues

For detailed step-by-step guidance, refer to the CI/CD & Build Automation Implementation Kit.

Resources

Related Capabilities

Prerequisites

Implement these first

CI Pipeline Template

Enables

What this unlocks

Advanced SAST Integration

Dependency Security Policy

Multi-Layer Container Scanning

Complementary

Often adopted together, from the CI/CD & Build Automation epic

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Foundation milestone. Individual timelines vary based on team size and existing practices.

What & Why

Definition

100% of builds run SAST (code scan) and SCA (dependency scan) with >= HIGH severity blocking merge.

Business Value

Context

This capability is part of the Foundation milestone's focus on establish baseline practices (testable, releasable, monitorable). Essential for teams targeting DF, LT improvements.

In Practice

Real-World Implementation

CI pipeline runs Semgrep for code issues, Trivy for dependency CVEs. HIGH or CRITICAL vulnerabilities fail build, require fix before merge.

Concrete Example

PR #678 build: Trivy finds CVE-2023-12345 (CRITICAL) in lodash 4.17.15. Build fails. Developer updates to 4.17.21, rebuild passes.

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Foundation milestone. Individual timelines vary based on team size and existing practices.

Automated Security Scanning

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Target

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Prerequisites

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Prerequisites

Enables

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?

Automated Security Scanning

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Target

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Prerequisites

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Prerequisites

Enables

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?