Shift-Left Security: Building a Zero-Compromise CI/CD Pipeline With GitHub Actions

## Why Shift Left? Security found at PR time costs 10× less to fix than security found in production. The goal: zero additional friction for developers, maximum automatic coverage. ## Pipeline Overview ```yaml jobs: sast: name: SAST — Semgrep runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: semgrep/semgrep-action@v1 with: config: p/owasp-top-ten container-scan: name: Container — Trivy runs-on: ubuntu-latest steps: - uses: aquasecurity/trivy-action@master with: image-ref: ghcr.io/${{ github.repository }}:latest exit-code: '1' severity: CRITICAL,HIGH dast: name: DAST — OWASP ZAP runs-on: ubuntu-latest steps: - uses: zaproxy/action-baseline@v0.10.0 with: target: 'https://staging.myapp.com' ``` ## Key Lessons 1. **Don't block on MEDIUM** — triage first or you'll get ignored. 2. **Baseline DAST results** — ZAP is noisy; a baseline stops false positives from breaking builds. 3. **Cache Semgrep rules** — shaves 40s off every run.