Cyber Security

How are you handling Software Supply Chain Security in your CI/CD?

MA Asked by Marcus Thorne · 22-02-2025
0 upvotes 11,154 views 0 comments
The question

With the rise of complex cyber threats, "Shift Left" security is no longer just a buzzword. I'm curious about how everyone is implementing SBOMs (Software Bill of Materials) and automated vulnerability scanning without creating a bottleneck in the release cycle. What are the best DevSecOps tools you've used recently that don't flood you with false positives?

3 answers

0
DI
Answered on 15-05-2025

We’ve moved toward an "Automated Governance" model. Every build in our pipeline automatically generates a CycloneDX SBOM, which is then cross-referenced against real-time threat databases. We use Snyk for container scanning because its reach into dependencies is excellent. To avoid bottlenecks, we only "break the build" for Critical or High vulnerabilities that have a known fix. For everything else, the system creates a Jira ticket for the next sprint. This keeps the velocity high while ensuring we have a clear audit trail of our software provenance.

0
PA
Answered on 10-06-2025

How do you manage the "security fatigue" that sets in when developers are constantly asked to fix minor dependency issues that don't actually pose a real-world risk?

ST 25-06-2025

Patrick, we use reachability analysis tools. If a vulnerability exists in a library but the code never actually calls that specific function, we deprioritize it. This has cut down the "to-do" list for our developers by nearly 40% and drastically improved our relationship with the engineering teams.

0
CY
Answered on 05-07-2025

Security is now part of the definition of "Done." If it's not scanned and verified with an SBOM, it doesn't exist as far as production is concerned.

MA 15-07-2025

That's the right attitude, Cynthia. We actually saw our deployment frequency stay the same after adding these checks because the automation is so seamless now.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session