Could you please have a look at the below pipeline. I will explore DAST. From the above explanation I assume DAST cant be the part of CI/CD

jobs:

build-and-scan:

name: Build, Scan and Push

runs-on: ubuntu-latest

outputs:

image_uri: ${{ steps.set-image-uri.outputs.image_uri }}

quality_gate_status: ${{ steps.quality_gate.outputs.quality-gate-status }}

sonar_coverage: ${{ steps.sonar_metrics.outputs.coverage }}

sonar_bugs: ${{ steps.sonar_metrics.outputs.bugs }}

sonar_vulnerabilities: ${{ steps.sonar_metrics.outputs.vulnerabilities }}

sonar_smells: ${{ steps.sonar_metrics.outputs.smells }}

trivy_critical: ${{ steps.trivy_result.outputs.critical }}

trivy_high: ${{ steps.trivy_result.outputs.high }}

steps:

- name: Checkout Source

uses: actions/checkout@v4

with:

fetch-depth: 0

# GitLeaks Scanning

- name: GitLeaks Scanning (Secret Detection)

uses: gitleaks/gitleaks-action@v2

env:

GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

#continue-on-error: true

- name: Setup Node.js

uses: actions/setup-node@v4

with:

node-version: '20'

cache: 'npm'

# Added legacy-peer-deps to bypass version conflicts

- name: Install Dependencies

run: npm ci --legacy-peer-deps

- name: NPM Audit

run: npm audit --audit-level=high || echo "Vulnerabilities found.."

# - name: Generate Prisma Client

# run: npx prisma generate --schema ./src/prisma/schema.prisma

- name: Run Tests with Coverage

run: npm test && npm run test:cov

- name: Build Application

run: npm run build

# SonarQube Scan

- name: SonarQube Scan

uses: SonarSource/sonarqube-scan-action@v6

env:

SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

- name: SonarQube Quality Gate

id: quality_gate

uses: SonarSource/sonarqube-quality-gate-action@v1

env:

SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

- name: Fetch Sonar Metrics

id: sonar_metrics

if: always()

run: |

echo " waiting for 20s..."

sleep 20

METRICS=$(curl -s -u "${{ secrets.SONAR_TOKEN }}:" "${{ secrets.SONAR_HOST_URL }}/api/measures/component?component=${{ env.SONAR_PROJECT_KEY }}&metricKeys=coverage,bugs,vulnerabilities,code_smells") # gitleaks:allow

COVERAGE=$(echo $METRICS | jq -r '.component.measures[] | select(.metric=="coverage") | .value' || echo "0")

BUGS=$(echo $METRICS | jq -r '.component.measures[] | select(.metric=="bugs") | .value' || echo "0")

VULNS=$(echo $METRICS | jq -r '.component.measures[] | select(.metric=="vulnerabilities") | .value' || echo "0")

SMELLS=$(echo $METRICS | jq -r '.component.measures[] | select(.metric=="code_smells") | .value' || echo "0")

echo "coverage=$COVERAGE%" >> $GITHUB_OUTPUT

echo "bugs=$BUGS" >> $GITHUB_OUTPUT

echo "vulnerabilities=$VULNS" >> $GITHUB_OUTPUT

echo "smells=$SMELLS" >> $GITHUB_OUTPUT

- name: Configure AWS Credentials

uses: aws-actions/configure-aws-credentials@v4

with:

aws-access-key-id: ${{ secrets.aws_ACCESS_KEY }}

aws-secret-access-key: ${{ secrets.aws_SECRET_ACCESS_KEY }}

aws-region: ${{ env.aws_REGION }}

- name: Login to ECR

id: login-ecr

uses: aws-actions/amazon-ecr-login@v2

- name: Set Image Tag

id: meta

run: echo "SHA7=$(git rev-parse --short=7 HEAD)" >> $GITHUB_OUTPUT

- name: Build Docker Image

run: |

docker build -t ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.SHA7 }} .

# Container Security Scan

- name: Trivy Image Scan (JSON)

uses: aquasecurity/trivy-action@master

with:

image-ref: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.SHA7 }}

severity: 'CRITICAL,HIGH'

format: 'json'

output: 'trivy-results.json'

exit-code: 0

#continue-on-error: true

- name: Parse Trivy Metrics

id: trivy_result

if: always()

run: |

CRIT=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length' trivy-results.json || echo "0")

HIGH=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="HIGH")] | length' trivy-results.json || echo "0")

echo "critical=$CRIT" >> $GITHUB_OUTPUT

echo "high=$HIGH" >> $GITHUB_OUTPUT

- name: Trivy Image Scan (Logs)

uses: aquasecurity/trivy-action@master

with:

image-ref: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.SHA7 }}

severity: 'CRITICAL,HIGH'

format: 'table'

exit-code: 1

#continue-on-error: true

- name: Push Image to ECR

run: docker push ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.SHA7 }}

- name: Set Image URI

id: set-image-uri

run: echo "image_uri=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.SHA7 }}" >> $GITHUB_OUTPUT