CI Architecture
- One standard per language family.
- One runtime image build per commit.
- One image vulnerability scan.
- The same image published to all enabled registries.
- Repository-level configuration, centrally maintained logic.
flowchart TB Caller[Repository caller workflow] --> Lang[React / Node / Python reusable CI] Lang --> Quality[Format, lint, type, unit, coverage] Lang --> SourceSec[Semgrep, Gitleaks, Trivy FS] SourceSec --> DojoSource[DefectDojo reimport] Quality --> Build[Common container build] SourceSec --> Build Build --> ImageScan[Trivy Image] ImageScan --> SBOM[Syft SBOM] ImageScan --> DojoImage[DefectDojo reimport] SBOM --> Handoff[Image artifact or staging registry] Handoff --> ECR[Push ECR] Handoff --> ACR[Push ACR] Handoff --> SPCS[Push Snowflake registry]
PRs run source checks and validate that the runtime image builds and scans. Protected branch pushes publish. CI does not wait for Argo CD or deploy Kubernetes resources.
Ordering
Section titled “Ordering”Fast source checks run before Docker build. Tests and coverage precede SonarQube analysis. The runtime image is scanned before publication. Signing occurs against published digests for branches/tags where signing is required.
DefectDojo receives native security reports after each scan and reimports them into stable scanner Tests; it does not run the scanners or replace their GitHub Actions gates. Upload runs even when a scanner finds blocking issues, so the failed run remains traceable through repository, branch, commit, and workflow-run metadata. DAST and VAPT reports enter DefectDojo only from post-deployment security workflows.