# Run Your First Security Pipeline

This tutorial will help you to run your first security pipeline. Before that, we will learn some terminologies.

**🔓 A vulnerability is a weakness in a system or software that can be exploited by attackers to compromise security.**

Let’s get started, Pre-Requisites required before running a pipeline,\
\
Let’s get started,\
Pre-Requisites required before running a pipeline,\
How to run your first pipeline: Link\
How to create a provider: Link

 

Hope you learned how to create a pipeline and run it! Let's go to the next step,\
\
\
In our task and pipeline catalog, we support many scanning tools such as **trivy**, **sonarQube**, **snyk,** and many more. To run a security pipeline integrate these tasks in your pipelines and run it. How simple is that? I will show how it is done in the next step with a detailed explanation.\
\
SCA (Software Composition Analysis): Identifies and manages open-source and third-party components in software to detect vulnerabilities and ensure compliance.

SAST (Static Application Security Testing): Analyzes source code without executing it to identify vulnerabilities and weaknesses in the early stages of development.

DAST (Dynamic Application Security Testing): Tests running applications for vulnerabilities by simulating attacks from outside the application.

IAC (Infrastructure as Code) Scanning: Reviews infrastructure code to identify security vulnerabilities and compliance issues before deployment.<br>

<figure><img src="/files/ASSMLaQ5ztAhYe2Cy2kF" alt=""><figcaption></figcaption></figure>

In the security dashboard, we have **scans** that show all vulnerabilities and **policies** (Global level, Cluster level, Environment level, Microservice level) for setting up some predefined rules. Don’t worry we got your back, let me show you an example.

\
**For example:** After scanning we get vulnerabilities (i.e. critical, high, medium, and low). Let’s say we set permission for critical vulnerabilities as a block then in the future when we run the pipeline and if scanning tools find **critical vulnerabilities** in the pipeline then the pipeline fails. Suppose if we allow **all the vulnerabilities** then, even if scanning tools find all the vulnerabilities the pipeline will not fail because we have allowed them.<br>

<figure><img src="/files/ok9TLd4JgqRNEYtfGBzd" alt=""><figcaption></figcaption></figure>

Now we have covered all the terminologies in the aspect of security. good work till now. let's move to the next step.<br>

<figure><img src="/files/GsOpmi9RLFnS7jDb0Sba" alt=""><figcaption></figcaption></figure>

As you can see in pipeline templates, there is a pipeline template called to **build and deploy with DevSecOps.** If we open that we can see all categories here from SAST, SCA, DAST to IAC at various stages. How cool is this! you don't even have to create a pipeline we have covered most of the\
use cases in our catalog. If you still want to create a pipeline then we have these scanning tools in the form of tasks you can use them<br>

<figure><img src="/files/vuSLmwXmYd3sIzwnKglz" alt=""><figcaption></figcaption></figure>

Run the above pipeline. That’s it done ✅ great job…👏

<figure><img src="/files/rXY4oGSgEfXiJ4fo285S" alt=""><figcaption></figcaption></figure>

Now click on build and deploy with devsecops. Checkout **Logs**, **Results** **for** **SBOM**’s, and the **Security** section for vulnerabilities.

SBOM, or Software Bill of Materials, is a detailed inventory listing of all components used in a software product.

( spdx and cyclonedx are formats )SPDX is a standard for documenting and exchanging software package metadata, while CycloneDX is a lightweight SBOM specification designed for easy integration into modern CI/CD pipelines.\
\
**LOGS:** In logs, you can check for the vulnerability list as shown below. Even you can check if scanned by **sonarQube**.<br>

<figure><img src="/files/ccDjJWJKIcJY2BS7gRvh" alt=""><figcaption></figcaption></figure>

**RESULTS:** In results, you can check for **SBOM** reports.

<figure><img src="/files/K9IDCaZNOI2AUF5uV1Hs" alt=""><figcaption></figcaption></figure>

**SECURITY:** In security, you can see all information regarding **vulnerabilities** such as vulnerabilityID, severity, package, microservices etc.\ <br>

<figure><img src="/files/aFqclcP0ASX8ETWGNjuM" alt=""><figcaption></figcaption></figure>

You can just click on the links of vulnerability to fix it as shown below.

<figure><img src="/files/oUckcVhnMIQAquJCDUZg" alt=""><figcaption></figcaption></figure>

Wow 🤩, you made it. you not only learned how to run a pipeline with security Integration but also learned the core concept of DevSecOps.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ozone.one/ozone-end-user-guide/documentation/devsecops/run-your-first-security-pipeline.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.