What’s the minimal viable stack if I have to start this week?

PR: Gitleaks (secrets), Semgrep (SAST), Checkov (IaC). Merge to main: Trivy (SCA+image), Syft (SBOM), Cosign (sign). Deploy: Kyverno or Conftest for policy, verify signatures. Nightly: ZAP for DAST. This gets you 80% in under two weeks.

How do I keep PR scans under 90 seconds?

Use path filters to only scan changed code, cache rule downloads, run secrets/SAST/IaC in parallel, and skip markdown/docs. Semgrep baseline + Checkov targeted frameworks usually keeps under 90s on medium repos.

What about false positives?

Baseline first, fail only on new findings, and require waivers with expiry and an owner for any suppression. Track false positive rate and fix rules that cause churn before ratcheting gates.

Do I need both SCA and container image scanning?

Yes. SCA on lockfiles catches app deps; image scanning catches base OS packages and supply chain issues introduced by the build. They overlap but miss different classes of vulns.

How do I prove to compliance that we’re covered?

Show SBOMs attached to each build, signed artifacts, policy enforcement logs (Kyverno/OPA), and MTTR metrics by severity. Map to frameworks (SOC2/ISO) with evidence links from your CI logs and dashboards.

What if we’re on Jenkins with self-hosted runners only?

Pre-warm containers with scanner binaries and CVE DBs, schedule nightly updates, and mirror feeds. Use shared libraries to standardize stages and keep PR scans parallel.

Guides · Oct 22, 2025 · 10 minute read

Your CI/CD Security Wiring Diagram: SAST, SCA, IaC, SBOM, and Signatures Without Killing Throughput

What to scan, where to gate, and how to keep builds fast. Real configs, metrics, and rollout playbooks that won’t blow up your developer experience.

Drew Kouri

Partner Engineer, GitPlumbers

Drew has spent two decades unwinding outages and shipping boring, resilient systems at scale—from monoliths on bare metal to Kubernetes on three continents. He’s led SRE and Platform teams at fintech and B2B SaaS companies, and now helps clients modernize safely.

Security that’s slow will get bypassed. Security that’s fast becomes culture.

Back to all posts

Your CI/CD Security Wiring Diagram: SAST, SCA, IaC, SBOM, and Signatures Without Killing Throughput

Key takeaways

Implementation checklist