How do I keep false positives from tanking developer trust?

Start with lean rulepacks (e.g., Semgrep `p/ci`), run in soft-fail for 1–2 weeks, and tune. Track false-positive rate and drop rules over 10%. Baseline against `main` so you only gate on new issues.

Is CodeQL worth the runtime hit?

For critical repos, yes. Run lightweight SAST (Semgrep) on PRs and run full CodeQL on a nightly or on `main` merges. Use language packs only where they matter—no need to scan Ruby in a Go service.

Open-source or commercial scanners?

Start open-source (Semgrep, Trivy, Checkov, Gitleaks, Syft). Add commercial (Snyk, Sonar, Prisma) when you need enterprise policies, ticketing depth, or specific compliance reporting.

What about monorepos?

Scope scans to changed paths and use a matrix per language. Generate per-directory SBOMs to avoid 100MB artifacts. Cache per-tool per-language to keep runtime down.

How do I enforce signed images in Kubernetes?

Install Sigstore’s policy-controller or Kyverno. Write a policy that only admits images signed by your key and pinned by digest. Verify `cosign` signatures and reject tag-only images.

Guides · Nov 19, 2025 · 9 minute read

Security Scanning in CI/CD That Engineers Don’t Hate: A Step‑By‑Step Playbook

A pragmatic, battle-tested way to wire SAST, SCA, IaC, container, SBOM, and DAST into your pipeline—without grinding deploys to a halt.

Back to all posts

Security Scanning in CI/CD That Engineers Don’t Hate: A Step‑By‑Step Playbook

Key takeaways

Implementation checklist