Teach on Udemy

Turn what you know into an opportunity and reach millions around the world.

Learn More

Your cart is empty.

Keep shopping

DevSecOps using GitHub Actions: Secure CICD with GitHub

Name: DevSecOps using GitHub Actions: Secure CICD with GitHub
Rating: 4.4 (1172 reviews)

Build Secure DevOps Pipelines with GitHub Actions and integrate SAST, DAST, SCA security tools in the Pipeline

Role Play

Created byA Security Guru, Raghu The Security Expert

Last updated 3/2026

English

What you'll learn

Understand basics of DevSecOps and learn about various tools used in DevSecOps
Learn basics of GitHub Actions and write yaml files in GitHub Actions
Integrate security tools in GitHub Actions Pipeline and execute SAST/DAST/SCA scans
Implement robustness in GitHub Actions
End to End Case study on Java Project where we implement DevSecOps Pipeline with GitHub Actions
Learn using a Git repository from Git bash
Learn CI/CD pipeline creation
Learn various tools used for DevSecOps
Learn SonarCloud
Learn Snyk
Learn OWASP ZAP
Learn Yaml
Learn to create DevSecOps Engineer CV
Learn to implement DevSecOps for NodeJS application
Learn to implement DevSecOps for .Net application

Course content

9 sections • 60 lectures • 4h 47m total length

Introduction and Course Agenda3:03
Discover devsecops with GitHub actions, learn the course agenda, career paths, and how devsecops works, then explore tools, basics of GitHub actions, and a sample end-to-end pipeline.
About the course1:18

Basics of GitHub Actions - Part 15:02
This video will explain the components of GitHub Actions and its basics. It also explains what are we going to learn in upcoming lectures with GitHub Actions
Basics of GitHub Actions - Part 23:11
Students will learn about various sections in a GitHub Actions Workflow YAML file.
Hands On Prerequisite: Install Visual Studio Code as an Editor on Windows2:45
Hands On Prerequisite: Install Git Bash on Windows5:16
Notes on Git Commands0:52
Hands On Prerequisite: Connect Git Bash with GitHub Account(2 Methods Explained)10:12
connect git bash with github to push local changes to a remote repo using two login methods: token only or username with token, and manage credentials in windows credential manager.
Hands On: Create a simple GitHub Actions yaml file - Part 12:50
For writing our first GitHub Actions workflow file, we will create a repo, then clone it on our local system and create folder structure as per GitHub Actions
Hands On: Create a simple GitHub Actions yaml file - Part 25:40
In this second part of GitHub Actions workflow file creation, we will now write the YAML code required for GitHub Actions workflow file
Hands On: Create a simple GitHub Actions yaml file - Part 33:41
In this third part of GitHub Actions workflow file creation, we will now push our YAML code to our GitHub repo and run our first GitHub Action and review the results.
What is Snyk and its benefits?2:04
Create Snyk Account for running SCA scan2:27
Create a free Snyk account to run software composition analysis (SCA) scans that identify security issues in third-party libraries like Log4J, using GitHub signup for quick access.
Hands On: Integrate Snyk in GitHub Actions (SCA scan)6:24
This lecture will help you to integrate Snyk in CI/CD pipeline using GitHub Actions. This lecture also helps to learn adding error handling in CI/CD pipeline using GitHub Actions

Snyk is a very powerful SAAS tool used to perform SAST, SCA and DAST. We will use Snyk to perform SCA scan.
What is OWASP ZAP and its benefits?1:45
Discover OWASP ZAP, the open source web application security scanner and Zed attack proxy, and learn how it scans web apps and APIs to identify security issues used in enterprises.
Note: Check Lecture 21 if you face any issue in lecture 200:04
Hands On: Integrate OWASP ZAP in GitHub Actions (DAST scan)7:55
This lecture will help you to run a Baseline scan and a Full scan of OWASP ZAP using GitHub Actions.

OWASP ZAP is a DAST tool used to run DAST scans on Web applications and API.
Very Important: Debug Issues with OWASP ZAP scan1:09
What is SonarCloud and its benefits?1:43
Create a SonarCloud Account for running Sonar Analysis on Source Code(SAST scan)1:58
Create a SonarCloud account by signing in with GitHub, access the SonarCloud dashboard, and prepare to run source code analysis (SAST) in subsequent projects.
Hands On: Integrate SonarCloud in GitHub Actions (SAST scan)7:49
This lecture will help you to integrate SonarCloud in CI/CD pipeline using GitHub Actions.

SonarCloud is a SAST/CodeQuality tool used to run SAST scans on source code.
Very Important: Notes on Populating Code Coverage on SonarCloud or SonarQube1:01
Knowledge Check
Security Engineer 1:1 discussion with Security Manager

Case Study: Understanding Project Requirements before workflow implementation4:03
Case Study Hands On: Pre-requisites for running End to End DevSecOps Pipeline4:27
Prepare an end-to-end DevSecOps pipeline by configuring GitHub Actions with required SonarCloud and Snyk tokens, adding repository secrets, and reviewing the case study repository before running the workflow.
Case Study Hands On: Workflow file creation and DevSecOps Pipeline execution10:48
This lecture helps to create a workflow file within GitHub Actions. This workflow file will represent the End To End DevSecOps pipeline for a Java Project within GitHub Actions. Then we will execute the pipeline on GitHub Server. Important Point: This is a Parallel Pipeline and all steps of the pipeline will execute in parallel. For Sequential pipeline, please see the Sequential pipeline lecture in this section.
Case Study Hands On: Review DevSecOps Pipeline Results - SonarCloud (SAST scan)4:41
This lecture helps to understand the artifacts created by SonarCloud after running SAST scan in GitHub Actions. Once we understand and review the artifacts/reports for SAST scan, we will learn to perform FPA process as a Security/DevSecOps Engineer.
Case Study Hands On: Review DevSecOps Pipeline Results - Snyk (SCA scan)3:51
This lecture helps to understand the artifacts created by Snyk after running SCA scan in GitHub Actions. Once we understand and review the artifacts/reports for SCA scan, we will learn to perform FPA process as a Security/DevSecOps Engineer.
Case Study Hands On: Review DevSecOps Pipeline Results - OWASP ZAP (DAST scan)4:55
This lecture helps to understand the artifacts created by OWASP ZAP after running DAST scan in GitHub Actions. Once we understand and review the artifacts/reports for DAST scan, we will learn to perform FPA process as a Security/DevSecOps Engineer.
Case Study Hands On: Modifying Workflow file to create Sequential Pipeline3:58
This lecture helps to modify the workflow file that we created in previous lectures. This change will make the workflow file to run in Sequential mode rather than Parallel mode. As we have dependent steps within the pipeline, we need to modify the workflow file to run in Sequential manner.
Debug issues in DevSecOps pipeline0:38
Knowledge Check

NodeJS Case Study: Understand Project Requirement before workflow implementation3:10
Design and implement an end-to-end devsecops pipeline for a Node.js project using GitHub Actions, integrating SonarCloud SAST, Snyk SCA, and OWASP ZAP and retesting.
Hands On: Understand Workflow file created for NodeJs DevSecOps Pipeline10:56
Implement an end-to-end DevSecOps pipeline for a Nodejs project using GitHub Actions, incorporating SAST with SonarCloud, SCA with Snyk, and DAST with OWASP ZAP.
Hands On: Running NodeJs End to End DevSecOps Pipeline using GitHub Actions6:24

Prerequisite: Understanding End to End DevSecOps pipeline for Game5:09
Prerequisite: Let's Create Azure Account for this Case Study6:30
Prerequisite: Let's create Kubernetes Cluster using Azure Kubernetes Service12:59
Prerequisite: Let's install ArgoCD on Azure Kubernetes Cluster10:10
Prerequisite: Let's create a project in ArgoCD for automated deployment6:15
Create an Argo CD application connected to a GitHub repo and enable auto sync to automatically deploy changes to Azure Kubernetes Service via a root Deployment.yaml.
Prerequisite: Let's Create AWS Account for this Case Study2:19
Create a free AWS account by following step-by-step instructions, verify your email, set up a password, and access the dashboard as preparation to set up DevSecOps in AWS.
Prerequisite: Let's install SonarQube on AWS EC2 instance11:32
Install SonarQube on an AWS EC2 t2.large Ubuntu instance with Docker, run the SonarQube image, and open port 9000 for login with admin.
Prerequisite: Create a Project in SonarQube for DevSecOps pipeline6:48
Prerequisite: Create a DockerHub account and DockerHub repository3:10
Create a Docker Hub account and a repository for the Super Mario game Docker image, then build and push it for deployment on an Azure Kubernetes cluster with DevSecOps steps.
Hands On: Part 1 - Implement End to End DevSecOps pipeline for Mario Game10:18
Develop an end-to-end DevSecOps pipeline with GitOps, update the Mario game to use s key, integrate sonarqube scans, dynamic docker image tagging, and Argo CD deployment to Azure Kubernetes Service.
Hands On: Part 2 - Implement End to End DevSecOps pipeline for Mario Game9:52
Set up a GitHub Actions-based end-to-end devsecops pipeline that builds, scans with Sonarqube SAS and Trivy, pushes the Super Mario image, and updates deployment and version files.
Hands On: Part 3 - Implement End to End DevSecOps pipeline for Mario Game8:57
Execute an end-to-end devsecops pipeline using GitHub as the source of truth, validate code with SonarQube, build and push Docker images, and deploy to Kubernetes via Argo CD.

Hands On: Create JIRA account with Atlassian with custom JIRA site4:06
Hands On: Report SAST security issues in JIRA identified by SonarCloud5:47
Learn hands-on reporting of a SAST security issue found by SonarCloud in a JIRA bug, including how to document file paths, line numbers, references, and sprint assignment for DevSecOps workflows.
Hands On: Report SCA security issues in JIRA identified by Snyk5:01
Report SCA issues discovered by Snyk in Jira, capturing details and vulnerable paths. Upgrade Morgan from 1.9.0 to 1.9.1 to fix an injection vulnerability, then retest and close.
Hands On: Report DAST security issues in JIRA identified by OWASP ZAP3:53
Demonstrates reporting a DAST issue identified by OWASP ZAP in JIRA, detailing a medium severity X-Frame-Options header not set for example.com and guiding from assignment to retest and closure.
Hands On: Integrate JIRA with SonarCloud to create tickets with one-click13:20

Security Engineer 1:1 interview with Hiring Manager
DevSecOps Handbook1:12
Optional: Application Security As a Career3:51
Explore information security career paths, including devsecops, cloud penetration testing, container security, and security architecture and design. Learn to integrate security tools into build pipelines and address cloud security.
Sample DevSecOps Engineer CV2:22
This lecture has a sample DevSecOps engineer CV and it helps to create your CV as a DevSecOps Engineer and provides an idea on the technologies to be included in the CV.
Bonus Lecture3:48
Students can enroll themselves in our other courses at discounted rates. View Resources section for more information.
Bonus Lecture2:21

Requirements

No Programming knowledge required
Anyone with Basic computer knowledge can take this course

Description

Course Updates:

v 11.0 - Dec 2024

Added Implement End to End DevSecOps pipeline for a Game using GitHub Actions & GitOps in Section 7

v 10.0 - May 2024

Added DevSecOps Handbook document in Section 8

v 9.0 - Jan 2024

Updated GitHub Repos for SAST scan with Java 17 and changed sonar.login to sonar.token

v 8.0 - April 2023

Updated course with Indonesian and Chinese Subtitles

v 7.0 - January 2023

Added C# Assignment for DevSecOps pipeline along with Solution using GitHub Actions and some common errors and their solutions

v 6.0 - October 2022

Updated course with French and German Subtitles

v 5.0 - July 2022

Updated course with NodeJS Case Study to implement an End to End DevSecOps Pipeline for a NodeJS Project using GitHub Actions in Section 5

v 4.0 - June 2022

Updated course with Notes on Populating Code Coverage on SonarCloud or SonarQube Dashboard in Section 3
Updated course with Notes on GIT Commands in Section 3
Updated course with newer videos to create account with SonarCloud and Snyk
Updated course videos content

v 3.0 - May 2022

Updated course with Report Walkthrough of SAST, SCA and DAST tools integrated in End to End DevSecOps Pipeline with GitHub Actions

v 2.0 - May 2022

Updated course with videos on End To End DevSecOps Pipeline with GitHub Actions
Added new questions to Quizzes

v 1.0 - April 2022

Updated course with newer videos on GitHub Actions Basics
Added Quizzes to the course

Who shall take this course?

This DevSecOps course is designed for Security Engineers, DevOps Engineers, SRE, QA Professionals and Freshers looking to find a job in the field of security. This is a focused DevSecOps course with a special focus on integrating SAST/DAST/SCA tools in Build pipeline.

Hands On Experience:

1) End to End Case study on Java Project where we implement DevSecOps Pipeline with GitHub Actions (Must Learn)

2) Learn and implement security in DevOps pipeline, get Hands On experience in using Security tools & technologies using GitHub Actions

This course is for:

Developers
DevOps
Security Engineers
Aspiring professional in the Security domain
Quality Assurance Engineers
InfoSec/AppSec Professional

DevSecOps being the hot skill, will help you to secure a high-salaried job and stay informed on the latest market trends.

Why purchase this course?

This is only practical hands-on course available on the internet till now.

DevSecOps enables rapid application development with agility, at the same time it secures your application with automated security checks integrated within the pipeline. It helps to increase productivity and security by integrating security stages in the pipeline.

Also, we have included practical examples to implement security in the DevOps pipeline through various tools.

By the end of the course, you will be able to successfully implement DevOps or DevSecOps pipeline and lead initiatives to create, build and maintain security pipelines in your project.

Things to consider before taking this course:

1) Create a GitHub account

Disclaimer: Indonesian, Chinese, French, German, Spanish and English subtitles are generate via Caption Generator tool so please ignore any grammar/interpretation mistakes

Who this course is for:

Beginner security engineer
Quality assurance engineers
DevOps/DevSecOps Engineers
Automation Engineers

DevSecOps using GitHub Actions: Secure CICD with GitHub

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 4min

Deep dive into DevSecOps3 lectures • 11min

Hands On - Integrating Security in DevSecOps Pipeline21 lectures • 1hr 14min

Java Case Study: Creating DevSecOps End to End Pipeline for a Java Project8 lectures • 37min

NodeJs Case Study: Creating End to End DevSecOps Pipeline for NodeJs Project3 lectures • 21min

Assignment: Build and run DotNet/C# End to End DevSecOps Pipeline2 lectures • 1min

Implement End to End DevSecOps pipeline for a Game using GitHub Actions & GitOps12 lectures • 1hr 34min

Report Security issues found during SAST, SCA & DAST scans in JIRA5 lectures • 32min

Next Steps and Bonus section6 lectures • 14min

Requirements

Description

Who this course is for: