Skip to content

Fortify Your Code:A Robust AppSec Pipeline for Every Organisation


The increasing frequency and severity of cyber attacks have made application security (appsec) a top priority for businesses worldwide. Appsec pipelines, which are automated workflows that scan code for security vulnerabilities, have emerged as a critical tool in addressing this challenge. In this blog post, I will walk you through a simple appsec pipeline I have built using GitHub Actions, a popular automation tool.

Pipeline Overview:

The appsec pipeline consists of four stages, each of which performs a specific security check:

  1. Dependency Scanning: In this stage, we use the DepScan Action to scan for known vulnerabilities in the application’s dependencies. This action is configured to scan the package.json file and report any high or medium severity vulnerabilities.
  2. Image Scanning: The Trivy Action is used in this stage to scan the Docker image used by the application. The scan is performed using the file system scan method and includes all files in the current directory.
  3. Code Scanning: In this stage, we use the Super-Linter Action to perform code analysis and detect potential issues. This action uses multiple linters and checks for common issues such as syntax errors, code formatting issues, and security vulnerabilities. We set the validation level to high and critical to ensure that only high-priority issues are reported.
  4. Nuclei Scanning: In the final stage, we use the Nuclei Action to scan the application for known vulnerabilities and security issues. This action is configured to use the cves/ templates directory and report on high and critical severity vulnerabilities.
name: Security Scan

      - master

    runs-on: ubuntu-latest
      - name: Checkout code
        uses: actions/checkout@v2

      - name: DepScan Scan
        uses: AppThreat/dep-scan-action@master
          target-file-path: "${{ github.workspace }}/package.json"
          severities: "high,medium"

      - name: Trivy Scan
        uses: aquasecurity/trivy-action@master
          scan-type: 'fs'
          scan-ref: '.'
      - name: Super-Linter
        uses: github/super-linter@main
          commit_sha: ${{ github.sha }}
          log_level: warn # or error
          validation_level: high,critical
          VALIDATE_ALL_CODEBASE: false
          DEFAULT_BRANCH: ${{ github.head_ref || github.ref }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Nuclei Scan
        uses: projectdiscovery/nuclei-action@main
          target: ${{ github.repository }}
          templates: cves/
          severity: high,critical
          output-format: json || true
          verbose: true || true

Pipeline Configuration:

The pipeline is triggered automatically whenever a code change is pushed to the master branch. Each stage runs in sequence, with the results of one stage passed as input to the next stage.

The output of each stage is saved to an output file, which is used to generate a detailed report on the pipeline’s performance. We can use this report to track issues and prioritize fixes based on their severity.


Building an appsec pipeline can be challenging, but it is an essential step in ensuring the security and reliability of your applications. In this blog post, we have demonstrated a simple pipeline that can be used as a starting point for building a more comprehensive pipeline. By implementing automated security checks into your development process, you can identify and fix vulnerabilities early on, reducing the risk of a security breach and improving your application’s overall security posture.