Back to path
SmallWeekend build ~6h· 4 milestones

Add a security gate to a CI pipeline

A team ships fast and finds vulnerabilities in production. You shift that left: every change is scanned before it can merge, and criticals block the build.

SASTDependency scanningSecret detectionContainer image scanningCI security gatesCI cost & runtime budgetingPipeline observability
Build this freeBrowse all projectsNo credit card. Already a member?

What you'll build

A CI pipeline that runs SAST, dependency, secret, and container-image scanning, failing the build on critical findings, with results visible to the team.

See how we teach, before you sign up

You don't just get code dumped on you. Every starter file and every solution is explained line-by-line, in plain English. Here's one real file from this project:

requirements.txttext
flask==2.0.0
requests==2.19.1   # old on purpose, SCA should flag CVEs here

Reading this file

  • flask==2.0.0Pinning an exact version makes builds reproducible, everyone installs the same code instead of a moving target.
  • requests==2.19.1This old version has published CVEs on purpose, so your dependency scanner has something real to catch on the first run.

A pinned, known-vulnerable version so the dependency scanner has a real finding on run one.

That's 1 of 8 explained code blocks in this single project.

The build, milestone by milestone

  1. 1

    Scan the code & dependencies

    5 guided steps

    Most breaches start with a known CVE or a leaked secret, catch both before they ever merge.

  2. 2

    Scan the container image

    4 guided steps

    Your code can be clean while the base image ships years-old vulnerable packages, the image is its own attack surface.

  3. 3

    Gate the merge, and prove it

    5 guided steps

    A scan that warns but never blocks gets ignored. The value is in the gate, and in proving it actually stops bad code.

  4. 4

    Watch the cost & health of the gate

    5 guided steps

    Security steps add minutes (and money) to every PR. If you can’t see the run health or quote the cost, the first time CI gets slow the team disables your scanners.

What's inside when you start

4 starter files, ready to clone
4 guided milestones
4 full reference solutions
8 code blocks explained line-by-line
4 "is it working?" checks
4 interview questions it prepares you for

You'll walk away with

A CI config with security gates (SAST, SCA, secret + image scanning)
Screenshots of a blocked vulnerable PR and a passing clean PR
A short README explaining your severity thresholds and false-positive strategy
A one-paragraph CI cost note (per-PR minutes + monthly estimate) and a SARIF-populated Security tab

This is portfolio-grade. Build it free.

Sign up to unlock every milestone step-by-step, the code skeletons, full reference solutions, and checkable tasks, with your progress saved as you build.

Start building