Catalog
concept#Security#Software Engineering#DevOps#Observability

Security Scanning

Systematic detection of vulnerabilities in code, dependencies, and runtime environments using automated and manual testing techniques.

Security scanning is a systematic approach to automated and manual testing of software and infrastructure for vulnerabilities.
Established
Medium

Classification

  • Medium
  • Technical
  • Architectural
  • Intermediate

Technical context

CI/CD systems (e.g., Jenkins, GitHub Actions)Issue trackers (e.g., Jira, GitHub Issues)Container registry and image scanning

Principles & goals

Shift-left: perform security checks early in the development process.Automation: integrate and document repeatable scans.Layering: combine SAST, DAST and dependency scans.
Build
Team, Domain

Use cases & scenarios

Compromises

  • Overreliance on tools without human validation.
  • Unaddressed findings lead to false security posture.
  • Lack of integration creates scattered results and duplicate work.
  • Shift-left: run scans in the pull request workflow.
  • Establish triage process to reduce false positives.
  • Integrate results into central dashboards and ticketing systems.

I/O & resources

  • Source code or artifacts (binaries, container images)
  • Access rights to test or staging environments
  • Dependency lists and build manifests
  • Prioritized vulnerability list with CVSS/severity
  • Reports, tickets and audit evidence
  • Suggested fixes and remediation guides

Description

Security scanning is a systematic approach to automated and manual testing of software and infrastructure for vulnerabilities. It combines static, dynamic and dependency analyses to detect risks early. It is integrated into CI/CD pipelines and operations to prevent regressions and meet compliance requirements.

  • Early identification of vulnerabilities reduces exploit risk.
  • Automated scans scale with CI/CD and minimize manual effort.
  • Supports compliance and evidence for audits.

  • Automated tools produce false positives and require review.
  • Not all attack vectors can be covered automatically.
  • Performance and time costs for extensive DAST suites.

  • Time to Detect

    Average time between introduction of a vulnerability and its detection.

  • Find rate / scan coverage

    Portion of codebase or artifacts covered by scans.

  • False positive rate

    Share of reported findings that prove to be non-actionable.

SAST integration with SonarQube

Use of SonarQube for static analysis in the pull request workflow.

DAST with OWASP ZAP against staging

Automated dynamic scans of staging environments with ZAP in CI.

Dependency scanning via Dependabot

Automatic pull requests for outdated or insecure libraries.

1

Analyze existing risks and select appropriate scan types (SAST/DAST/SCA).

2

Integrate chosen tools into CI/CD with defined policy and break conditions.

3

Set up reporting, ticket creation and SLAs for remediation.

4

Continuous monitoring, tuning of signatures and review processes.

⚠️ Technical debt & bottlenecks

  • Outdated scan rules and signatures need regular updates.
  • Heterogeneous tool landscape without central management creates overhead.
  • No automated remediation pipeline for common findings.
scan-durationfalse-positivesintegration-effort
  • No review: teams rely solely on tool output.
  • Scans only in production, losing early detection.
  • No prioritization: all findings are treated equally.
  • High false positive rate without clear triage process.
  • Missing authentication for DAST leads to incomplete results.
  • Overloading CI with long scans without time limits.
Security analysis and CVE interpretationCI/CD and pipeline automationFundamentals of SAST, DAST and Software Composition Analysis
Compliance requirements (e.g., PCI, GDPR)Fast feedback loop in CI/CDScalability of scans for microservices environments
  • Network access to staging/prod required for DAST
  • License and privacy requirements for third-party scans
  • Resource limits in pipelines restrict parallel scans