Cloud Technology

How to integrate security scanning into Jenkins cloud pipelines without slowing down builds?

CH Asked by Christopher Taylor · 10-11-2024
0 upvotes 12,129 views 0 comments
The question

We are trying to implement a DevSecOps approach by adding Snyk and SonarQube scans into our Jenkins cloud-based CI/CD pipeline. However, these scans are adding 10-15 minutes to every pull request. Are there ways to run these security checks in parallel or trigger them asynchronously so developers don't have to wait so long for their build results?

3 answers

0
BA
Answered on 11-11-2024

You should look into the "Pipeline Graph Analysis" plugin to see exactly which security stage is taking the most time and optimize that.

PA 13-11-2024

Great suggestion, Barbara. Visualizing the bottlenecks is the first step toward optimization. I also use the Blue Ocean UI to track these metrics.

0
PA
Answered on 12-11-2024

The best way to handle this is by using the parallel directive in your Declarative Pipeline. You can run your unit tests in one branch and your security scans (SAST/SCA) in another. Also, consider using "Incremental Scans" for SonarQube so it only analyzes changed files. For cloud-native environments, make sure your scanning tools are running as lightweight containers on your Jenkins agents. This ensures you aren't bottlenecked by CPU limits on a single node. If the scan is purely for compliance, you could even trigger it as a separate downstream job.

0
JA
Answered on 14-11-2024

Does your current setup fail the build immediately upon a security vulnerability, or do you allow it to finish and just report the findings?

CH 15-11-2024

We currently have a "soft fail" policy for development branches and a "hard fail" for the main branch. James, your question highlights a key strategy: we moved the most intensive scans to a nightly build for the dev branches, while keeping only critical "high-priority" vulnerability checks in the PR pipeline. This reduced the PR feedback loop from 20 minutes down to just 6 minutes, which made the developers much happier while still maintaining a strong security posture.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session