Ensuring security in Continuous Intergration and Deployment Pipelines
Dinh, Thien (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025061122457
https://urn.fi/URN:NBN:fi:amk-2025061122457
Tiivistelmä
This thesis aims to integrate security practices into the Stand-Alone and Continuous Integration Deployment (CI/CD) pipelines automation), to prevent issues such as insecure dependencies, secret leakage, or misconfiguration. The research analyzes literature, frameworks, and builds a secure CI/CD pipeline using tools from AWS and open-source scanners such as SonarQube and OWASP Dependency Check.
The implementation was evaluated on a back-end web application featuring React, Node.js, and MySQL. Security was integrated into the build and deployment phases, as well as defined in this study’s proposed evaluation metrics. The analysis identified over 20 outdated package vulnerabilities, critical issues with hard-coded secrets. The security tools did introduce some performance overhead (~15% drop in efficiency), but not enough to hinder the deployment.
These results suggest that SMEs and smaller teams can effectively implement a DevSecOps approach if proper planning and tools are utilized, as demonstrated in this research. Such a model for the security pipeline enables reusable and scalable structures to be positioned for the protected software delivery in cloud environments.
The implementation was evaluated on a back-end web application featuring React, Node.js, and MySQL. Security was integrated into the build and deployment phases, as well as defined in this study’s proposed evaluation metrics. The analysis identified over 20 outdated package vulnerabilities, critical issues with hard-coded secrets. The security tools did introduce some performance overhead (~15% drop in efficiency), but not enough to hinder the deployment.
These results suggest that SMEs and smaller teams can effectively implement a DevSecOps approach if proper planning and tools are utilized, as demonstrated in this research. Such a model for the security pipeline enables reusable and scalable structures to be positioned for the protected software delivery in cloud environments.