We are trying to implement a DevSecOps approach by adding Snyk and SonarQube scans into our Jenkins cloud-based CI/CD pipeline. However, these scans are adding 10-15 minutes to every pull request. Are there ways to run these security checks in parallel or trigger them asynchronously so developers don't have to wait so long for their build results?
3 answers
You should look into the "Pipeline Graph Analysis" plugin to see exactly which security stage is taking the most time and optimize that.
The best way to handle this is by using the parallel directive in your Declarative Pipeline. You can run your unit tests in one branch and your security scans (SAST/SCA) in another. Also, consider using "Incremental Scans" for SonarQube so it only analyzes changed files. For cloud-native environments, make sure your scanning tools are running as lightweight containers on your Jenkins agents. This ensures you aren't bottlenecked by CPU limits on a single node. If the scan is purely for compliance, you could even trigger it as a separate downstream job.
Does your current setup fail the build immediately upon a security vulnerability, or do you allow it to finish and just report the findings?
We currently have a "soft fail" policy for development branches and a "hard fail" for the main branch. James, your question highlights a key strategy: we moved the most intensive scans to a nightly build for the dev branches, while keeping only critical "high-priority" vulnerability checks in the PR pipeline. This reduced the PR feedback loop from 20 minutes down to just 6 minutes, which made the developers much happier while still maintaining a strong security posture.
Great suggestion, Barbara. Visualizing the bottlenecks is the first step toward optimization. I also use the Blue Ocean UI to track these metrics.