Is security testing integrated into CI/CD (SAST, dependency scanning, IaC scanning, secret scanning)?
Demonstrate that automated security scanning for application code vulnerabilities, dependency risks, infrastructure misconfigurations, and exposed secrets is consistently executed within the CI/CD pipeline before deployment to production.
Description
What this control does
This control ensures that automated security scanning tools are embedded within the Continuous Integration/Continuous Deployment (CI/CD) pipeline to detect vulnerabilities before code reaches production. Static Application Security Testing (SAST) analyzes source code for security flaws, dependency scanning identifies vulnerable third-party libraries, Infrastructure as Code (IaC) scanning detects misconfigurations in cloud and infrastructure templates, and secret scanning prevents hardcoded credentials from being committed. These scans execute automatically on code commits, pull requests, or builds, providing rapid feedback to developers and blocking deployments that fail security thresholds.
Control objective
What auditing this proves
Demonstrate that automated security scanning for application code vulnerabilities, dependency risks, infrastructure misconfigurations, and exposed secrets is consistently executed within the CI/CD pipeline before deployment to production.
Associated risks
Risks this control addresses
- Deployment of applications containing known code-level vulnerabilities such as SQL injection, cross-site scripting, or insecure deserialization that attackers can exploit
- Introduction of third-party libraries with publicly disclosed CVEs that provide attackers with pre-existing exploit paths
- Provisioning of cloud infrastructure with excessive permissions, exposed storage buckets, or unencrypted databases due to IaC template misconfigurations
- Hardcoded API keys, database passwords, or cloud credentials committed to source control that attackers can harvest from repositories or build artifacts
- Accumulation of technical security debt as vulnerabilities are introduced faster than manual security reviews can identify them
- Regulatory non-compliance due to insufficient security validation prior to production deployment
- Supply chain compromise through malicious packages or typosquatting attacks in dependency trees that bypass manual review
Testing procedure
How an auditor verifies this control
- Obtain documentation of the CI/CD pipeline architecture identifying build platforms, source code repositories, and deployment workflows in scope
- Review CI/CD pipeline configuration files (e.g., .gitlab-ci.yml, Jenkinsfile, GitHub Actions workflows, Azure Pipelines YAML) to identify security scanning stages and tool integrations
- Verify that SAST tools are configured to execute on each code commit or pull request, and inspect rulesets or policies applied to the scans
- Verify that dependency scanning tools analyze manifest files (package.json, requirements.txt, pom.xml, go.mod) and compare against vulnerability databases (NVD, OSV, GitHub Advisory Database)
- Verify that IaC scanning tools evaluate cloud templates (Terraform, CloudFormation, ARM, Kubernetes manifests) against security benchmarks and configuration standards
- Verify that secret scanning tools inspect commits, branches, and pull requests for patterns matching API keys, private keys, tokens, and credentials
- Select three recent builds or deployments and trace build logs to confirm all four scanning types executed successfully and results were recorded
- Review pipeline failure logs or merge request blocks where security scans detected issues exceeding defined thresholds, and confirm deployments were prevented or required manual override with documented approval