メインコンテンツまでスキップ

Pipeline Execution & Results

Overview

With your infrastructure deployed and everything wired up, it’s time to put the pipeline to work and see it in action. This section walks you through running the pipeline, checking the results from the various security scans, and verifying that your Docker image has been successfully published to GitHub Container Registry (GHCR).

Running the Pipeline

  1. Head over to your python-fastapi repository on GitHub and click the Actions tab at the top.
    Navigate to Actions

  2. In the left-hand sidebar, select Main Workflow, then click Run workflow on the right.
    Run Workflow

  3. Once triggered, your pipeline will kick off and begin executing. It should look something like this:
    Pipeline Running

    Note: This job takes about 5–7 minutes to complete, so go grab a coffee and check back in a bit.

Reviewing the Results

After the workflow finishes running, here’s how to review the key outputs from your DevSecOps pipeline:

GitHub Container Registry (GHCR)

Back on your repository’s homepage, scroll down to the Packages section. You should see your Docker image listed there. Click the image name to view details, including how to pull it using Docker.

Packages Section
Pulling Image and Tags

SonarCloud Analysis

If you’ve properly integrated SonarCloud, your repository should be scanned automatically as part of the pipeline. Navigate to your SonarCloud dashboard to explore:

  • Code Smells
  • Vulnerabilities
  • Security Hotspots

Feel free to experiment by adding some insecure code or edge cases to test the scanner. You can also customize your Quality Gates directly from the SonarCloud interface.

SonarCloud Dashboard
Security Hotspots

ZAP by Checkmarx Scan

The results of the ZAP by Checkmarx scan can be found directly in the GitHub Actions logs. This scan runs against your running Docker container to detect common web vulnerabilities like injection flaws, insecure headers, and more.

Here’s an example of what it looks like in the workflow logs:
ZAP by Checkmarx Logs

Trivy Scan Results

Trivy scan results are automatically uploaded to GitHub under the Security tab → Code scanning alerts. From there, you’ll be able to view any critical or high-severity vulnerabilities identified in your image.

Trivy Results in GitHub

Conclusion

You're done!!! You’ve successfully executed your GitHub Actions DevSecOps pipeline. You’ve built, scanned, tested, and pushed a containerized app with security built in from the start.