INTEGRATING AUTOMATED DEVSECOPS SECURITY SCANNING INTO OPEN-SOURCE SOFTWARE: A MULTI-TOOL ANALYSIS USING HEALTHCHECKS AND DOKEMON

Author Name: 1. Akor Jacob Terungwa

Volume/Issue: 06/06

Country: Russia

DOI NO.: 08.2020-25662434 DOI Link: https://doi-ds.org/doilink/12.2025-59926622/UIJIR

Affiliation:

1. Department of Security and Network Engineering, Innopolis University, Russia.

ABSTRACT

The increasing adoption of DevSecOps has redefined software development by embedding security practices throughout the continuous integration and delivery (CI/CD) lifecycle. This research focuses on implementing and evaluating an automated DevSecOps security framework that integrates multiple open-source tools including SonarQube, Bandit, CodeQL, Semgrep, and Gitleaks to enhance software assurance in open-source projects. Using Healthchecks and Dokemon as case studies, the project systematically analyzed source code, dependencies, and configuration vulnerabilities within GitHub Actions pipelines. Each tool contributed a unique layer of analysis: SonarQube for quality and maintainability, Bandit for Python security checks, Semgrep for pattern-based vulnerability scanning, CodeQL for semantic analysis, and Gitleaks for secret detection. Results demonstrated that the combined DevSecOps pipeline effectively identified vulnerabilities early in the development process, improved code reliability, and reduced manual intervention in security auditing. Comparative findings across both projects highlighted that integrated automation yields higher vulnerability coverage and better compliance with secure coding practices. Overall, the study validates that a well-orchestrated DevSecOps pipeline not only strengthens software security posture but also promotes continuous security validation in open-source development ecosystems.

Key words: Integrating Automated Devsecops, multi-Tool Analysis , Healthchecks And Dokemon