INTEGRATING SOFTWARE CONFIGURATION MANAGEMENT AND SECURITY TOOLS INTO CI/CD PIPELINES: ENHANCING AUTOMATION, TRACEABILITY, AND RELIABILITY

146
“Al-Fa g‘oniy a lodla i” elek on ilmiy
ju nali
ISSN 2181-4252. Tom: 1 | Son: 3 | 2025-yil
"Descendan s o Al-Fa ghani" elec onic scien i ic
jou nal.
ISSN 2181-4252. Vol: 1 | Iss: 3 | 2025 yea
Электронный научный журнал "Потомки Аль-
Фаргани"
ISSN 2181-4252. Том: 1 | Выпуск: 3 | 2025 год
h ps://al- a goniy.uz/
INTEGRATING SOFTWARE CONFIGURATION MANAGEMENT AND SECURITY TOOLS
INTO CI/CD PIPELINES: ENHANCING AUTOMATION, TRACEABILITY, AND
RELIABILITY
Zuluno Ra shanbek Mama o ich,
Fe gana S a e Technical Uni e si y, p o esso
Email: [email p o ec ed]
Abs ac : This a icle analyzes he ole o So wa e Con igu a ion Managemen (SCM) and secu i y
ool in eg a ion wi hin Con inuous In eg a ion/Con inuous Deploymen (CI/CD) pipelines. I is
de e mined ha embedding ulne abili y da abases and au oma ed secu i y checks in o he pipeline
signi ican ly imp o es he eliabili y and secu i y o so wa e de elopmen p ocesses. Key SCM
p ocesses—such as change acking, e sion con ol, and audi ing—a e examined in he con ex o
CI/CD, and hei impac on au oma ion, aceabili y, and c oss- eam collabo a ion is subs an ia ed.
The s udy iden i ies he bene i s o in eg a ing ools such as Gi , Docke , and Te a o m alongside
ulne abili y da abases (e.g., NVD, Snyk, Gi Hub Secu i y Ad iso ies). Resul s demons a e ha his
app oach educes in eg a ion e o s, accele a es elease cycles, and ensu es p oac i e ulne abili y
emedia ion. I is concluded ha he combina ion o SCM and au oma ed secu i y moni o ing is
indispensable o mode n De Ops p ac ices, enabling consis en , secu e, and e icien so wa e
deli e y.
Keywo ds: CI/CD Pipeline, Vulne abili y Da abase, API In eg a ion, Secu i y Au oma ion, Gi Hub
Secu i y Ad iso ies.
In oduc ion. So wa e Con igu a ion
Managemen (SCM) is a c ucial phase in so wa e
de elopmen ha enhances he managemen ,
o ganiza ion, and con ol o changes o a ious
elemen s, including equi emen s, code, and eams
h oughou he so wa e de elopmen li ecycle.
Con inuous imp o emen is essen ial, as enhancemen s
and changes in unc ionali y a e o en in eg a ed in o
he inal p oduc .
Be o e in oducing changes o he sys em, a
ho ough analysis mus be conduc ed. These changes
should be documen ed p io o implemen a ion,
communica ed in de ail bo h be o e and a e , and
managed in a manne ha enhances quali y and
minimizes e o s o mi iga e isks o he en i e sys em.
This unde sco es he necessi y o sys em con igu a ion
managemen , which add esses hese complexi ies and
acili a es app op ia e so wa e adjus men s [1].
E ec i e change con ol is i al; wi hou p ope
o e sigh , changes can dis up o ganized p og amming
e o s. Thus, SCM plays an in eg al ole in
enginee ing p ojec managemen . I s p ima y objec i e
is o boos p oduc i i y while minimizing e o s. SCM
also acili a es accoun abili y wi hin eams by acking
who made speci ic changes, enhancing collabo a ion
[2].
Me hods. In eg a ing secu i y ools in o a
Con inuous In eg a ion/Con inuous Deploymen
(CI/CD) pipeline in ol es se e al s eps o ensu e ha
secu i y checks a e au oma ed and embedded wi hin
he de elopmen li ecycle. He e’s a s ep-by-s ep guide:
1. Selec Secu i y Tools
Choose secu i y ools ha ma ch he speci ic
equi emen s o you p ojec (e.g., SAST, DAST, IaC
scanning) and e i y hei compa ibili y wi h you
CI/CD pla o m.
2. Design he Pipeline S uc u e
De ine he s ages in you CI/CD pipeline
whe e secu i y alida ions should be pe o med.
Typical s ages include:
* Code Commi : Run SAST ools
immedia ely a e code is commi ed.
* Build: Pe o m in as uc u e o
dependency scans du ing he build phase.
147
“Al-Fa g‘oniy a lodla i” elek on ilmiy
ju nali
ISSN 2181-4252. Tom: 1 | Son: 3 | 2025-yil
"Descendan s o Al-Fa ghani" elec onic scien i ic
jou nal.
ISSN 2181-4252. Vol: 1 | Iss: 3 | 2025 yea
Электронный научный журнал "Потомки Аль-
Фаргани"
ISSN 2181-4252. Том: 1 | Выпуск: 3 | 2025 год
h ps://al- a goniy.uz/
* Tes ing: Use DAST ools o e alua e he
secu i y o applica ions in a s aging en i onmen .
* Deploymen : Ca y ou inal secu i y checks
be o e eleasing o p oduc ion.
3. Con igu e Secu i y Tools
Adjus he ools wi h app op ia e se ings o
ensu e e ec i e ope a ion:
* Scanning Rules: Tailo scanning ules
acco ding o you o ganiza ion’s secu i y policies.
* Au hen ica ion: G an ools access o
necessa y esou ces, such as eposi o ies o cloud
en i onmen s.
* Th esholds: Es ablish accep ance c i e ia
ha de e mine whe he a build passes o ails based on
de ec ed ulne abili ies.
4. Embed Tools in o he CI/CD Wo k low
In eg a e he con igu ed secu i y ools in o he
pipeline so ha scans and checks a e au oma ically
execu ed a he de ined s ages.
- Fo Jenkins:
- Use plugins o SAST (e.g., Sona Qube
Scanne ) and DAST (e.g., OWASP ZAP).
- Add s eps in you Jenkins ile o un
secu i y scans a he app op ia e s ages.
```g oo y
pipeline {
agen any
s ages {
s age('Build') {
s eps {
sh 'm n clean package' // Example
build command
}
}
s age('SAST') {
s eps {
sc ip {
// Run SAST ool
sh 'sona -scanne '
}
}
}
s age('DAST') {
s eps {
sc ip {
// Run DAST ool
sh 'zap.sh -cmd -quicku l
h p://you app.com'
}
}
}
// Addi ional s ages...
}
}
```
- Fo Gi Lab CI:
- Use buil -in secu i y scanning ea u es o
de ine jobs in `.gi lab-ci.yml`.
```yaml
s ages:
- build
- es
- secu i y
build:
s age: build
sc ip :
- m n clean package
sas :
s age: secu i y
sc ip :
- sona -scanne
das :
s age: secu i y
sc ip :
- zap-cli quick-scan --u l
h p://you app.com
```
- Fo Ci cleCI:
- In eg a e ools using Ci cleCI
con igu a ion in `.ci cleci/con ig.yml`.
```yaml
e sion: 2.1
jobs:
148
“Al-Fa g‘oniy a lodla i” elek on ilmiy
ju nali
ISSN 2181-4252. Tom: 1 | Son: 3 | 2025-yil
"Descendan s o Al-Fa ghani" elec onic scien i ic
jou nal.
ISSN 2181-4252. Vol: 1 | Iss: 3 | 2025 yea
Электронный научный журнал "Потомки Аль-
Фаргани"
ISSN 2181-4252. Том: 1 | Выпуск: 3 | 2025 год
h ps://al- a goniy.uz/
build:
docke :
- image: ci cleci/openjdk:8
s eps:
- checkou
- un:
name: Build P ojec
command: m n clean package
- un:
name: Run SAST
command: sona -scanne
- un:
name: Run DAST
command: zap.sh -cmd -quicku l
h p://you app.com
```
5. «Se Up No i ica ions and Repo ing»
- Con igu e no i ica ions o build ailu es
due o secu i y issues (e.g., ia email, Slack).
- Gene a e epo s om he ools and publish
hem as pa o he build a i ac s o e iew.
6. «Con inuous Moni o ing and Upda es»
- Regula ly upda e you secu i y ools o
ensu e hey a e using he la es signa u es and ules.
- Re iew and e ine he secu i y
con igu a ions, h esholds, and in eg a ion p ocesses
based on eedback and e ol ing secu i y landscapes.
7. «T aining and Awa eness»
- Make su e ha all eam membe s a e
amilia wi h he secu i y ools and hei in eg a ion,
he eby p omo ing a secu i y-o ien ed cul u e
h oughou he de elopmen wo k low.
Resul s. Inco po a ing a ulne abili y da abase
in o he CI/CD pipeline s eng hens he abili y o de ec
and add ess known ulne abili ies wi hin applica ions
and hei dependencies. He e’s how o e ec i ely
in eg a e a ulne abili y da abase:
1. «Choose a Vulne abili y Da abase»
- Selec a ulne abili y da abase ha i s you
needs. Popula op ions include:
- «Na ional Vulne abili y Da abase (NVD)»
- «CVE De ails»
- «Snyk»
- «Whi eSou ce»
- «Gi Hub Secu i y Ad iso ies»
2. «API Access and Con igu a ion»
- Mos ulne abili y da abases p o ide APIs
o que ying ulne abili ies. Ob ain API keys o access
okens as equi ed.
- Familia ize you sel wi h he API
documen a ion o unde s and how o e ch ulne abili y
da a.
3. «In eg a e API Calls in he CI/CD Pipeline»
- Add s eps in you CI/CD pipeline o que y
he ulne abili y da abase o known ulne abili ies
based on you p ojec ’s dependencies.
# Example In eg a ion S eps:
Fo Jenkins:
```g oo y
pipeline {
agen any
s ages {
s age('Build') {
s eps {
sh 'm n clean package'
}
}
s age('Check Vulne abili ies') {
s eps {
sc ip {
// Example command o check o
ulne abili ies
sh 'cu l -H "Au ho iza ion: Bea e
YOUR_API_KEY"
"h ps://api. ulndb.com/ 1/p ojec s/YOUR_PROJEC
T_ID/ ulne abili ies"'
}
}
}
}
}
```
Fo Gi Lab CI:
```yaml
s ages:
- build
149
“Al-Fa g‘oniy a lodla i” elek on ilmiy
ju nali
ISSN 2181-4252. Tom: 1 | Son: 3 | 2025-yil
"Descendan s o Al-Fa ghani" elec onic scien i ic
jou nal.
ISSN 2181-4252. Vol: 1 | Iss: 3 | 2025 yea
Электронный научный журнал "Потомки Аль-
Фаргани"
ISSN 2181-4252. Том: 1 | Выпуск: 3 | 2025 год
h ps://al- a goniy.uz/
- check_ ulne abili ies
build:
s age: build
sc ip :
- m n clean package
check_ ulne abili ies:
s age: check_ ulne abili ies
sc ip :
- cu l -H "Au ho iza ion: Bea e
YOUR_API_KEY"
"h ps://api. ulndb.com/ 1/p ojec s/YOUR_PROJEC
T_ID/ ulne abili ies"
```
Fo Ci cleCI:
```yaml
e sion: 2.1
jobs:
build:
docke :
- image: ci cleci/openjdk:8
s eps:
- checkou
- un:
name: Build P ojec
command: m n clean package
- un:
name: Check o Vulne abili ies
command: cu l -H "Au ho iza ion:
Bea e YOUR_API_KEY"
"h ps://api. ulndb.com/ 1/p ojec s/YOUR_PROJEC
T_ID/ ulne abili ies"
```
4. «Analyze and Ac on he Da a»
- Pa se he esponse om he ulne abili y
da abase o check o any ulne abili ies ele an o
you p ojec ’s dependencies.
- Se h esholds o ailu es based on he
se e i y o epo ed ulne abili ies (e.g., ail he build
i c i ical ulne abili ies a e ound).
5. «Au oma e Dependency Managemen »
- Use dependency managemen ools ha can
au oma ically check o upda es and pa ches based on
ulne abili y epo s:
- Snyk: In eg a es wi h CI/CD pipelines and
checks o ulne abili ies in dependencies.
- Dependabo : Au oma ically c ea es pull
eques s o upda e dependencies wi h known
ulne abili ies.
6. «Gene a e Repo s»
- Con igu e you pipeline o gene a e epo s
summa izing ulne abili ies ound, hei se e i y, and
ecommended ac ions.
- S o e hese epo s as a i ac s o u u e
e e ence and audi s.
7. «Con inuous Moni o ing»
- Implemen ongoing moni o ing o
dependencies and ulne abili y da abases. This can
include scheduled jobs in you CI/CD pipeline o
egula ly check o newly epo ed ulne abili ies.
8. «T aining and Documen a ion»
- Educa e you eam on how o in e p e
ulne abili y epo s and he p ocesses o emedia ing
ulne abili ies.
- Documen p ocedu es o handling
iden i ied ulne abili ies wi hin he eam.
Discussion. Con igu a ion managemen is i al
o managing complex so wa e sys ems. The absence
o e ec i e SCM can lead o signi ican issues
ega ding sys em eliabili y, up ime, and scalabili y.
Many mode n so wa e de elopmen ools inco po a e
SCM unc ions, highligh ing i s impo ance in he
de elopmen p ocess [3-8].
In eg a ing secu i y ools in o a CI/CD pipeline
is essen ial o main aining a secu e de elopmen
p ocess. By au oma ing secu i y checks a a ious
s ages, eams can iden i y and add ess ulne abili ies
ea ly, educing he isk o secu i y inciden s in
p oduc ion en i onmen s [9-13].
Conclusion. In eg a ing a ulne abili y
da abase in o you CI/CD pipeline is essen ial o
main aining secu e so wa e de elopmen p ac ices. By
au oma ically checking o known ulne abili ies, you
eam can p oac i ely add ess po en ial secu i y issues,
ensu ing a mo e obus and secu e applica ion.
150
“Al-Fa g‘oniy a lodla i” elek on ilmiy
ju nali
ISSN 2181-4252. Tom: 1 | Son: 3 | 2025-yil
"Descendan s o Al-Fa ghani" elec onic scien i ic
jou nal.
ISSN 2181-4252. Vol: 1 | Iss: 3 | 2025 yea
Электронный научный журнал "Потомки Аль-
Фаргани"
ISSN 2181-4252. Том: 1 | Выпуск: 3 | 2025 год
h ps://al- a goniy.uz/
Re e ences:
1. Secu ing he So wa e Supply Chain:
Recommended P ocesses o De elope s.
CISA, NSA, & ODNI, 2022.
2. 3 Ways o Mi iga e Risks Using P i a e
Package Feeds. Mic oso , 2021.
3. R.Zuluno , U.Akhundjano , B.Soliye ,
A.Kayumo , M.As ae , Kh.Musaye .
Building and p edic ing a neu al ne wo k in
PYTHON. E3S Web o Con e ences, 508,
04005 (2024).
4. R.Zuluno . Py honda ney on a moqni qu ish
a basho a qilish. Al-Fa g'oniy a lodla i,
2023, 1/4, c. 22-26.
5. R.Zuluno , Z.Sama o a. Bulu li
exnologiyala da kibe xa sizlik aminlashda
CASB yechimla i. Потомки Аль-Фаргани,
2024, 1(1), с. 93–98.
6. VV By s', RM Zuluno . Speci ica ion o
ma ix algeb a p oblems by educ ion.
Jou nal o Ma hema ical Sciences. T. 71,
2719–2726 (1994).
7. Hna iienko, H., Hna iienko, V., Zuluno R.,
Babenko, T., My u enko, L. Me hod o
De e mining he Le el o C i icali y
Elemen s when Ensu ing he Func ional
S abili y o he Sys em based on Role
Analysis o Elemen s. CEUR Wo kshop
P oceedings, 2024, 3654, p. 301–311
8. R.Zuluno , B.Soliye , A.Kayumo ,
M.As ae , Kh.Musaye , D.Abdu asulo a.
De ec ing mobile objec s wi h ai using edge
de ec ion and backg ound sub ac ion
echniques. E3S Web o Con e ences, 508,
03004 (2024).
9. R.Zuluno , Z.Sama o a. Kibe xa sizlik
muammola i a uni a'minlash usulla i.
Потомки Аль-Фаргани, 2024, 1(2), 322–
326.
10. R.Zuluno , B.Solie . Z.E ma o a.
Enhancing Cla i y wi h Techniques o
Recognizing Blu ed Objec s in Low Quali y
Images Using Py hon. Потомки Аль-
Фаргани, 2024, 1(2), 336–340.
11. U.Akhundjano , R.Zuluno , A.Kayumo ,
X.Goipo a, Z.E ma o a, M.Sobi o .
Handw i en signa u e p ep ocessing o o -
line ecogni ion sys ems. E3S Web Con .,
587 (2024) 03019.