The case for security in your CI/CD pipeline

This blog is part of 12 days of CI/CD, a celebration of all things CI/CD. Click here for more content and stay up to date by following us on Twitter!

This article was written by Hayley Denbraver, a developer advocate from Snyk, a company that helps organizations find and fix vulnerabilities in open source dependencies and container images.

Building a CI/CD pipeline is an excellent way for teams to streamline their work. A pipeline makes it possible to release code more often, run processes automatically, and easily rollback changes in case of a problem. The elements included in the pipeline are at the discretion of the team, but problems arise when security review and policy exists outside of the pipeline.

Security tradeoffs

When security is not included in the pipeline, teams generally take one of two security approaches. The first approach involves trying to force a traditional security review into a workflow that has otherwise been automated and streamlined–effectively clogging the pipeline. The second approach is to ignore security review, perhaps justifying the practice by saying that changes are minimal. The pipeline is intact, but security problems that could otherwise be avoided are introduced into the project. Neither of these approaches are good, and there is a better way with fewer tradeoffs.

Continuous integration, continuous delivery… continuous security?

We can avoid the above conundrum by bringing security into the CI/CD pipeline, allowing us to protect the pipeline and continue to practice security review. There are other benefits to incorporating security into the pipeline, including the, the option to set and enforce security policies automatically, and the ability to scale security practices and to make measurable, incremental security improvements.

Security in the pipeline with Snyk

Snyk makes it easy to find and fix vulnerabilities in your open source dependencies and container images, and we believe that security plays an integral role as part of your CI/CD pipeline. Using Bitbucket Pipes, it’s easy to add security functionality to your CI/CD workflow with a preconfigured Snyk pipe that can be used in a plug-and-play fashion.

Finding, fixing and monitoring open-source vulnerabilities

The Snyk pipe scans your dependencies for open source vulnerabilities as part of the CI/CD workflow. If vulnerabilities are found, the Snyk pipe gates the process according to the configuration set by the user. For example, preventing high severity vulnerabilities from going through the build as seen in the image below:

The Snyk pipe also includes a patch module that can use Snyk’s precision patches to fix the vulnerability. These patches are developed and rigorously tested in collaboration with the package owner, and Snyk backports the original fix to all applicable historical versions, all without introducing code breaks.

Once the test succeeds, the deployed code is monitored by Snyk for new vulnerabilities. When a new relevant vulnerability is discovered, Snyk notifies its users in order to minimize the exposure window. Snyk's vulnerability database is constantly updated with new vulnerabilities to ensure the best coverage for our users.

Securing Docker images

The Snyk pipe can also scan Docker images for operating system vulnerabilities. Snyk scans the base image and the additional layers, detecting vulnerabilities associated with each. Snyk can then offer remediation advice, directing users to the most secure base image alternative, eliminating a large number of vulnerabilities and minimizing the risk of code breakages.

Incorporating security into your workflow with Snyk

Security is an important part of your development process, and it's easier than ever to incorporate good security practices in your CI/CD pipeline using Bitbucket Cloud and Snyk. The Snyk pipe is available here and you can read more about it in our repository. To get it up and running you only need to complete a few easy steps:

  • Get a Snyk account at
  • Retrieve your token here:
  • Add your token to your BitBucket Pipeline as a secured environment variable
  • Add the Snyk Pipe to your `bitbucket-pipelines.yml` file
  • Set all required variable and any optional variables that are important for the project

And that is it! You can find the pipe here and try it for yourself.