DevSecOps Pipeline Hardening: SAST, SCA, and Secret Scanning for Australian SMBs

---

The numbers from 2025–2026 are sobering. The Shai-Hulud worm self-propagated across 500+ npm packages, stealing cloud credentials from every CI/CD runner it touched [1]. The Chalk/Debug compromise — 27 packages, 2.6 billion weekly downloads — took just 16 minutes from phishing to malicious publish [2]. In March 2026, TeamPCP compromised Trivy itself, the very tool teams use to scan for vulnerabilities, and used stolen OIDC tokens to publish poisoned releases to Docker Hub, GHCR, and ECR simultaneously [3]. If attack vectors now include the security tools you depend on, pipeline hardening is not optional — it is your last line of defence before malicious code reaches production.

Layer 1: SAST — Catch What Humans Miss

Static Application Security Testing scans your source code for vulnerable patterns before it ever runs. Two tools dominate the open-source space:​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌

Semgrep is the pragmatic choice for SMBs. It runs in seconds, supports 30+ languages, and has community rule p

acks maintained by security researchers. The OWASP Top 10 ruleset ships out of the box.

# .github/workflows/sast.yml
name: SAST Scan
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  semgrep:
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - name: Semgrep scan
        run: |
          semgrep ci \
            --config "p/default" \
            --config "p/owasp-top-ten" \
            --config "p/secrets" \
            --sarif --output semgrep.sarif || true
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif

CodeQL (GitHub-native) provides deeper analysis but requires compilation for compiled languages. For JavaScript, TypeScript, and Python shops, Semgrep covers 80% of the threat surface with 10% of the setup effort.

Mode selection: Run SAST in advisory-only (|| true) for the first fortnight. Developers need time to triage without blocked merges. After false positives are tuned, switch to fail-the-build on severity: ERROR findings only — warnings remain advisory.

Layer 2: SCA — Know What You Are Pulling In

Software Composition Analysis scans your dependency tree for known vulnerabilities. The TeamPCP campaign proved why this matters: compromised packages carry the same name, same version range, and same trust relationship as legitimate ones — only hash-based verification catches them.

Trivy is the Swiss Army knife here. It scans container images, filesystems, git repositories, and lock files. Despite being compromised itself in March 2026 (v0.69.4), the patched v0.69.5+ release remains the most comprehensive free scanner available.

# .github/workflows/sca.yml
name: Dependency Scan
on:
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 2 * * 1'  # Weekly rescan for new CVEs

jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Trivy filesystem scan
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: fs
          scanners: vuln,misconfig,secret
          severity: CRITICAL,HIGH
          exit-code: 1
          format: sarif
          output: trivy-results.sarif
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

OSV-Scanner (Google's open-source tool) pairs well with Trivy for language-ecosystem coverage. It queries the Open Source Vulnerabilities database directly and catches transitive dependency issues Trivy may miss.

Pinning strategy: For SCA, fail-the-build on CRITICAL is reasonable from day one. A critical CVE in a direct dependency is a showstopper. Set HIGH vulnerabilities to advisory mode and review weekly — many are disputed or unexploitable in your context. The weekly cron rescans stale branches for newly-disclosed CVEs on dependencies you already approved.

Layer 3: Secret Scanning — Stop Credentials in Commits

The TanStack compromise (May 2026) exploited OIDC tokens extracted from CI runner memory — but the far more common vector is developers accidentally committing .env files, API keys, or hardcoded credentials [1]. Once a secret hits a public repository, it is compromised within minutes — automated scrapers index GitHub continuously.

Gitleaks is fast, configurable, and catches 150+ credential patterns out of the box.

# .github/workflows/secret-scan.yml
name: Secret Scan
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for diff scanning
      - name: Gitleaks scan
        uses: gitleaks/gitleaks-action@v2
        env:
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
          GITLEAKS_ENABLE_COMMENTS: false

GitHub secret scanning (free for public repos, GitHub Advanced Security for private) adds a second layer — it scans pushed commits retroactively and revokes detected tokens automatically when integrated with supported providers (AWS, GCP, GitHub PATs).

Mode selection: Secret scanning should always fail the build. A false positive here means adjusting a .gitleaks.toml allowlist — never weakening the rule. Rotate any detected credential immediately, even if the commit was to a private repository.

SLSA Level 1: Quick Wins This Week

SLSA (Supply-chain Levels for Software Artifacts) provides a maturity framework. Level 1 requires no infrastructure changes — only process discipline:

1. Build scripts are checked into version control. No manual npm publish from developer laptops — every release flows through the CI pipeline defined in .github/workflows/.
2. Provenance is generated. Enable the SLSA-GENERATOR GitHub Action. It produces a signed attestation proving your build output came from a specific commit, builder, and source repository.
3. Dependencies are pinned. Replace "axios": "^1.7.0" with "axios": "1.7.9" in package.json. Lock files should be committed and verified.
4. Hermetic builds. Disable network access during build steps unless explicitly needed. This prevents a compromised dependency from phoning home during npm install.

# Quick SLSA generator add-on
- name: Generate provenance
  uses: slsa-framework/slsa-github-generator/.github/workflows/
       generator_generic_slsa3.yml@v2.0.0
  with:
    base64-subjects: "${{ needs.build.outputs.hashes }}"

FAQ

Conclusion

The 2025–2026 supply chain attack wave proved that any dependency can turn hostile within hours. Your pipeline is the choke point — the one place where automated checks can inspect code, dependencies, and credentials before any of it reaches production. Start with Semgrep on advisory mode, Trivy failing only on critical CVEs, and Gitleaks failing always. Tune the thresholds over two weeks, then progressively harden. Layer in SLSA provenance generation once the basics are stable.

Security is our religion, privacy is our drive. Visit consult.lil.business for a free cybersecurity assessment tailored to your SMB's pipeline and risk profile.

References

1. Software Supply Chain Attacks 2025–2026: Axios, Shai-Hulud, Chalk — Cyber Army Tech
2. Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised — Wiz
3. TanStack npm Packages Hit by Mini Shai-Hulud — Snyk
4. SLSA Supply-chain Levels for Software Artifacts — slsa.dev
5. Australian Cyber Security Centre: Essential Eight Maturity Model