Integrating Security into CI/CD Pipelines: A DevSecOps Approach with SAST, DAST, and SCA Tools

Continuous Integration and Continuous Deployment (CI/CD), which was rapidly adopted by the software development industry, turned into a fast-paced process, causing new insecurity to be generated. This paper explains how we support the implementation of such DevSecOps by SDI (merging security in SD) with CI/CD process by combining SDI instruments of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) instruments. In this manner, security measures maintain equal development speed during development, while vulnerabilities are detected before their respective development stage ends. This research contributes scientific evidence with production use cases to demonstrate the usefulness of SAST, DAST, and SCA technologies in strengthening the effectiveness of CI/CD pipeline security. These tools are deployed so that the application can expose the security risks before the deployment dates, thereby ensuring that the application promotes security standards across the development teams. Security is embedded into core development procedures through DevSecOps, which performs security at each development stage rather than at the end. Risk reduction, trust levels, and compliance standards are augmented in the transition, and these are most critical in sectors that process sensitive information, such as retail and e-commerce. According to research data, security protection must be present before it comes to the market so that methods of protection can be implemented according to industry standards and meet the requirements of protecting digital systems from new cyber threats and vulnerabilities in a dynamically changing digital environment.