Framework for Integrating Continuous Integration and Continuous Deployment (CI or CD) with Automated Security Testing to Improve Software Dependability

Syaiful Anwar; Irwanto Irwanto; Safrizal Safrizal

Authors

Syaiful Anwar Institut Teknologi dan Bisnis Dewantara
Irwanto Irwanto Universitas Patimura
Safrizal Safrizal Universitas Pembangunan Jaya

Keywords:

Automated Security, Continuous Deployment, Continuous Integration, Software Dependability, Vulnerability Detection

Abstract

The increasing demand for rapid software delivery has led to the widespread adoption of Continuous Integration (CI) and Continuous Deployment (CD) pipelines. These pipelines automate the processes of code integration, testing, and deployment, significantly improving the speed and reliability of software development. However, traditional CI or CD pipelines often overlook security testing, leading to vulnerabilities in the deployed software. To address this gap, this study proposes an integrated framework that embeds automated security testing within the CI or CD process. The framework incorporates security testing tools such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Vulnerability Assessment and Penetration Testing (VAPT) to ensure continuous security checks throughout the development lifecycle. The experimental results show that the proposed framework enhances early vulnerability detection, with detection rates increasing from 30% to 70%. Additionally, the framework reduces deployment failures from 50% to 20%, demonstrating its effectiveness in improving software dependability. While the integration of automated security testing adds a slight 5% increase in pipeline execution time, this minimal impact does not significantly affect the overall speed of the pipeline. The proposed approach successfully balances security and efficiency, ensuring that software is both secure and delivered at high speed. This research highlights the importance of integrating security into CI or CD pipelines and demonstrates that it is possible to achieve high security without sacrificing the speed of software development. The study also discusses the practical implications for software development teams and suggests areas for future research, including the integration of advanced AI-driven security testing tools and the expansion of the framework's applicability across different software projects.

References

[1] P. K. Sinha, P. Nand, S. S. Chauhan, and S. Tiwari, “Study of Failures in Continuous Integration Environment,” in 2024 International Conference on Electrical, Electronics and Computing Technologies, ICEECT 2024, 2024. doi: 10.1109/ICEECT61758.2024.10739077.

[2] S. Kamath, M. M. Manohara Pai, S. Vignesh, and G. Darshan, “Revolutionizing Cloud Infrastructure Management: Streamlined Provisioning and Monitoring with Automated Tools and User-Friendly Frontend Interface,” in 2023 3rd International Conference on Intelligent Technologies, CONIT 2023, 2023. doi: 10.1109/CONIT59222.2023.10205728.

[3] G. Roy, E. Simili, G. Stewart, S. C. Skipsey, and D. Britton, “Using Continous Deployment techniques to manage software change at a WLCG Tier-2,” in Journal of Physics: Conference Series, 2020. doi: 10.1088/1742-6596/1525/1/012066.

[4] E. P. Wijaya, S. Kosasi, and David, “Implementing Continuous Integration and Deployment Strategy: Cloversy.id RESTful API Development,” J. RESTI, vol. 8, no. 3, pp. 368 – 376, 2024, doi: 10.29207/resti.v8i3.5527.

[5] D. Sushma, M. K. Nalini, R. Ashok Kumar, and M. Nidugala, “To Detect and Mitigate the Risk in Continuous Integration and Continues Deployments (CI or CD) Pipelines in Supply Chain Using Snyk tool,” in 7th IEEE International Conference on Computational Systems and Information Technology for Sustainable Solutions, CSITSS 2023 - Proceedings, 2023. doi: 10.1109/CSITSS60515.2023.10334136.

[6] S. Sun, D. Friberg, and M. Staron, “‘Good’ and ‘Bad’ Failures in Industrial CI/CD–Balancing Cost and Quality Assurance,” Lect. Notes Comput. Sci., vol. 16083 LNCS, pp. 75 – 84, 2026, doi: 10.1007/978-3-032-04207-1_6.

[7] A. Ankit, K. Nimala, and M. Jadhav, “Creation of Continuous Integration Continuous Deployment Pipeline Using Cloud,” in Proceedings - 2024 5th International Conference on Intelligent Communication Technologies and Virtual Mobile Networks, ICICV 2024, 2024, pp. 337 – 341. doi: 10.1109/ICICV62344.2024.00058.

[8] P. S. Chatterjee and H. K. Mittal, “Enhancing Operational Efficiency through the Integration of CI/CD and DevOps in Software Deployment,” in Proceedings - 2024 6th International Conference on Computational Intelligence and Communication Technologies, CCICT 2024, 2024, pp. 173 – 182. doi: 10.1109/CCICT62777.2024.00038.

[9] A. Sadovykh and V. Ivanov, “Enhancing DevSecOps with continuous security requirements analysis and testing; [Улучшение DevSecOps с помощью непрерывного анализа и тестирования требований безопасности],” Comput. Res. Model., vol. 16, no. 7, pp. 1687 – 1702, 2024, doi: 10.20537/2076-7633-2024-16-7-1687-1702.

[10] R. Meliala, C. Lim, and J. Andreas, “Integrating Security Testing in CI/CD Pipelines: Current Trends from Literature and Market,” in 2024 9th International Conference on Informatics and Computing, ICIC 2024, 2024. doi: 10.1109/ICIC64337.2024.10957011.

[11] S. Deshmukh, R. Patil, and S. Narkhede, “Automated Security Testing Using CI/CD Pipeline,” Lect. Notes Networks Syst., vol. 1384 LNNS, pp. 183 – 194, 2025, doi: 10.1007/978-981-96-5751-3_16.

[12] S. M. Saleh, I. Mohammed, N. Madhavji, and J. Steinbacher, “Advancing Software Security and Reliability in Cloud Platforms through AI-based Anomaly Detection,” in CCSW 2024 - Proceedings of the 2024 Cloud Computing Security Workshop, Co-Located with: CCS 2024, 2024, pp. 43 – 52. doi: 10.1145/3689938.3694779.

[13] M. Marandi, A. Bertia, and S. Silas, “Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline,” in 2023 World Conference on Communication and Computing, WCONF 2023, 2023. doi: 10.1109/WCONF58270.2023.10235015.

[14] M. L. Gupta, R. Puppala, V. V. Vadapalli, H. Gundu, and C. V. S. S. Karthikeyan, “Continuous Integration, Delivery and Deployment: A Systematic Review of Approaches, Tools, Challenges and Practices,” Commun. Comput. Inf. Sci., vol. 2045 CCIS, pp. 76 – 89, 2024, doi: 10.1007/978-3-031-59114-3_7.

[15] J. Fluri, F. Fornari, and E. Pustulka, “On the importance of CI/CD practices for database applications,” J. Softw. Evol. Process, vol. 36, no. 12, 2024, doi: 10.1002/smr.2720.

[16] F. Zampetti, D. Tamburri, S. Panichella, A. Panichella, G. Canfora, and M. Di Penta, “Continuous Integration and Delivery Practices for Cyber-Physical Systems: An Interview-Based Study,” ACM Trans. Softw. Eng. Methodol., vol. 32, no. 3, 2023, doi: 10.1145/3571854.

[17] P. Singh, N. Tanwar, N. Singh, and S. Sharma, Ai-driven continuous integration: Boosting developer productivity for blue-green infrastructure. 2024. doi: 10.4018/979-8-3693-8069-7.ch002.

[18] F. Zampetti, S. Geremia, G. Bavota, and M. Di Penta, “CI/CD Pipelines Evolution and Restructuring: A Qualitative and Quantitative Study,” in Proceedings - 2021 IEEE International Conference on Software Maintenance and Evolution, ICSME 2021, 2021, pp. 471 – 482. doi: 10.1109/ICSME52107.2021.00048.

[19] D. Danang, H. Haryani, Q. Aini, F. A. Ramahdan, and J. Edwards, “Empowering digital literacy through blockchain based alphasign for secure and sustainable e-governance,” 2025.

[20] D. Danang, A. B. Santoso, and M. U. Dewi, “CICA Framework: Harnessing CSR, AI, and Blockchain for Sustainable Digital Culture,” Int. J. Adv. Comput. Sci. Appl., vol. 16, no. 11, 2025.

[21] W.-T. Lee and Z.-W. Liu, “Microservices-based DevSecOps Platform using Pipeline and Open Source Software,” J. Inf. Sci. Eng., vol. 39, no. 5, pp. 1117 – 1128, 2023, doi: 10.6688/JISE.202309_39(5).0007.

[22] E. Riggio and C. Pautasso, “Pipelines Under Pressure: An Empirical Study of Security Misconfigurations of GitHub Workflows,” Lect. Notes Comput. Sci., vol. 16361 LNCS, pp. 220 – 236, 2026, doi: 10.1007/978-3-032-12089-2_14.

[23] Z. Wadhams, A. M. Reinhold, and C. Izurieta, “Automating Static Code Analysis Through CI/CD Pipeline Integration,” in Proceedings - 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering - Companion, SANER-C 2024, 2024, pp. 119 – 125. doi: 10.1109/SANER-C62648.2024.00021.

[24] S. Pfrang, D. Meier, M. Friedrich, and J. Beyerer, “Advancing protocol fuzzing for industrial automation and control systems,” in ICISSP 2018 - Proceedings of the 4th International Conference on Information Systems Security and Privacy, 2018, pp. 570 – 580. doi: 10.5220/0006755305700580.

[25] S. Manfredi, M. Ceccato, G. Sciarretta, and S. Ranise, “Do Security Reports Meet Usability?: Lessons Learned from Using Actionable Mitigations for Patching TLS Misconfigurations,” in ACM International Conference Proceeding Series, 2021. doi: 10.1145/3465481.3469187.

[26] P. Thantharate and T. Anurag, “GeneticSecOps: Harnessing Heuristic Genetic Algorithms for Automated Security Testing and Vulnerability Detection in DevSecOps,” in Proceedings of International Conference on Contemporary Computing and Informatics, IC3I 2023, 2023, pp. 2271–2278. doi: 10.1109/IC3I59117.2023.10398075.

[27] X. Zhang, W. Shen, Z. Liang, L. Cui, and Y. Wang, “Research and Application of Automated Testing Technology for Data Security Vulnerabilities,” in 4th IEEE International Conference on Mobile Networks and Wireless Communications, ICMNWC 2024, 2024. doi: 10.1109/ICMNWC63764.2024.10872029.

[28] W. Wu, C. Wang, C. Yang, and M. Yu, “Software dependability evaluation method for the whole life-cycle,” in Proceedings - 2022 International Conference on Cloud Computing, Big Data Applications and Software Engineering, CBASE 2022, 2022, pp. 18 – 22. doi: 10.1109/CBASE57816.2022.00011.

[29] K. Kavitha, “Agile Software Development: DevOps, SRE, and VSM Practices & Tools,” Adv. Comput., 2025, doi: 10.1016/bs.adcom.2025.06.011.