Security Scanning Overview¶
Four scanners run automatically in every CWIQ pipeline. This page explains what each one does, when it runs, and which ones can block a pipeline.
CWIQ pipelines include layered security scanning that covers secrets, misconfigurations, code vulnerabilities, and container image CVEs. Results flow into two downstream systems: SonarQube for unified code-level analysis and DefectDojo for centralised vulnerability tracking.
Pipeline Flow¶
The diagram below shows how each scanner fits into the pipeline and where its output is consumed.
flowchart TD
subgraph "validate stage (all branches)"
SEM[Semgrep SAST<br/>Code patterns + vulnerabilities]
TRIVY_FS[Trivy FS Scan<br/>Secrets blocking + misconfig SARIF]
end
subgraph "scan stage (main only)"
SQ[SonarQube<br/>Aggregates all findings]
TRIVY_IMG[Trivy Image Scan<br/>Docker image CVEs]
DD[DefectDojo Import<br/>Centralised vulnerability tracking]
end
SEM -->|SARIF| SQ
TRIVY_FS -->|SARIF| SQ
TRIVY_IMG -->|JSON| DD
The validate stage jobs run on every branch — including feature branches — so developers see results before merging. The scan stage jobs run only after a successful build on main.
Blocking vs Non-Blocking¶
The Trivy secrets scan is the only blocking security scan
If Trivy detects hardcoded secrets (API keys, passwords, tokens) anywhere in your repository, the pipeline fails immediately at the validate stage. All subsequent jobs — including build and deploy — are skipped. Remove the secret and retrieve it from Vault instead. See Vault JWT Auth for the correct pattern.
| Scanner | Stage | Branches | Blocking | Output |
|---|---|---|---|---|
| Trivy FS (secrets) | validate | All | YES — exit code 1 | Pipeline fails if secrets found |
| Trivy FS (misconfig) | validate | All | No | SARIF + JSON artifacts |
| Semgrep | validate | All | No | SARIF + JSON artifacts |
| SonarQube | scan | main only | No (allow_failure: true) |
SonarQube dashboard |
| Trivy Image | scan | main only | No (allow_failure: true) |
JSON artifact |
| DefectDojo Import | scan | main only | No (allow_failure: true) |
DefectDojo dashboard |
The non-blocking scanners use allow_failure: true at the job level, which means a finding does not stop the deployment. They are advisory — you are expected to address findings over time. SonarQube quality gate enforcement is being rolled out incrementally as the first enforcement mechanism.
Per-Scanner Summary¶
| Scanner | What It Catches | Docs |
|---|---|---|
| Trivy FS | Hardcoded secrets, Dockerfile misconfigurations, IaC misconfigurations | Trivy |
| Trivy Image | Known CVEs in OS packages and language dependencies inside the built Docker image | Trivy |
| Semgrep | Language-specific security patterns, OWASP Top 10, hardcoded credentials | Semgrep SAST |
| SonarQube | Aggregates Semgrep + Trivy SARIF, plus its own bug and vulnerability engine | SonarQube Setup |
| DefectDojo | Receives Trivy image scan results; tracks CVE trends over time across all services | DefectDojo Import |
Related Documentation¶
- Trivy — FS scan, image scan, and how to include both in your pipeline
- Semgrep SAST — Rulesets, output format, and pipeline inclusion
- DefectDojo Import — Product setup, engagement naming, and API authentication
- SonarQube Setup — How Semgrep and Trivy results flow into SonarQube
- Vault JWT Auth — How CI jobs authenticate with Vault to retrieve scanner credentials