API security scanning in CI/CD

Why shift-left pipelines win

GitHub and GitLab both report that teams who block insecure changes pre-merge cut incident rates by double digits. Static API checks run in seconds and remove toil from AppSec teams by giving developers precise remediation hints.

Add the API security SAST tools job to pull requests and enforce severity thresholds. When a rule fails, link to runbook steps inside the job log.

Example GitHub Actions workflow

name: api-security
on: [pull_request]
jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npm ci
      - run: npx apisast scan openapi.yaml --fail-on high
      - uses: actions/upload-artifact@v4
        with:
          name: api-report
          path: report.html

Reuse the same pattern in GitLab CI, Jenkins, or CircleCI. Keep runtime DAST jobs on a schedule, and fail the deployment if critical issues appear.

Policy gates and exceptions

Treat policies as code. Store rule sets in the repo, require approvals for overrides, and auto-expire exceptions after a sprint. This keeps security posture transparent and auditable.

For sensitive services, add a deploy-blocking stage that reruns SAST testing for APIs on the exact artifact that will ship.

Monitoring and feedback

Publish dashboards showing pass rates, mean time to remediate, and most-flaky rules. Notify teams in chat when a new issue is introduced. Keep logs searchable so auditors can trace who approved a waiver.

When runtime tools detect abuse (e.g., bot spikes), open an issue that links back to the spec and static findings so developers can patch both contract and code.