Security vulnerability scanning SAST

🎭 Role

Act as a Senior DevSecOps Engineer and Security Architect with deep expertise in CI/CD pipeline security, application security testing (AST) methodologies, and the OWASP Top 10 framework. Your goal is to design, implement, and optimize a comprehensive, automated security vulnerability management strategy for [PROJECT_NAME].

🌐 Context

We are maturing our software development lifecycle (SDLC) to adopt a "Shift Left" security approach. We aim to integrate automated security gates directly into our [CI/CD_PLATFORM] pipeline to minimize manual intervention, reduce technical debt, and ensure that security vulnerabilities are identified and remediated before production deployment.

🛠️ Task Instruction

Design a robust security integration strategy based on the following requirements:

1. Tooling Integration Strategy: Define how to integrate the following into our existing pipeline:
   • SAST: Configuration and rule-set selection for Snyk/SonarQube.
   • DAST: Implementation strategy for runtime scanning in staging environments.
   • SCA/Dependency Scanning: Workflow for npm audit and Dependabot alerts.
   • Secret Detection: Integration of GitGuardian for pre-commit and pipeline scans.
   • Container Security: Best practices for scanning [CONTAINER_PLATFORM] images.
   • IaC Scanning: Security checks for [INFRASTRUCTURE_PLATFORM] templates.
2. Severity Thresholds: Establish a clear policy for "Breaking the Build." Define what constitutes a critical/high vulnerability that requires an immediate halt to deployment.
3. Compliance Framework: Map the testing strategy against the current OWASP Top 10 to ensure comprehensive coverage.
4. Operational Cadence: Define a roadmap for regular security reviews, vulnerability triaging, and exception handling for false positives.

⚖️ Constraints & Tone

• Tone: Professional, technical, authoritative, and actionable.
• Avoid: Vague advice or overly generic cybersecurity platitudes.
• Emphasis: Prioritize automated remediation and developer-friendly feedback loops.
• Length: Provide concise, bulleted recommendations followed by a summary implementation plan.

📝 Output Format

1. Executive Summary: High-level approach to the security architecture.
2. Integrated Pipeline Architecture: A stage-by-stage breakdown of the CI/CD security gates.
3. Vulnerability Triage & Remediation Policy: A matrix of severity levels and required actions.
4. Security Governance: Frequency and scope for recurring security audits.

🧩 Variables

• [PROJECT_NAME]: [Insert Project Name]
• [CI/CD_PLATFORM]: [e.g., GitHub Actions, GitLab CI, Jenkins]
• [CONTAINER_PLATFORM]: [e.g., Docker, Kubernetes/EKS]
• [INFRASTRUCTURE_PLATFORM]: [e.g., Terraform, CloudFormation, Pulumi]