How to Add a Security Gate to Your Deploy Pipeline (GitHub Actions)
"Check before you deploy" always gets forgotten eventually. How to set up an automatic gate that blocks on every push, in 5 minutes.
"I'll make sure to check before the next deploy" — that promise usually gets forgotten by around the third deploy. Checks that rely on human willpower eventually fail. The answer is to automate the check and block the deploy itself when it fails.
Why "I'll check" doesn't work
When you're busy, in a hurry, or shipping on a Friday afternoon, people skip the checklist. Skip it once with no consequences, and it gets easier to skip the next time. This isn't a laziness problem — it's a structural one. A rule that only holds if a human remembers it every single time eventually breaks.
What a gate is
A "gate" is simple: if a check fails, the merge or deploy is blocked. Even if a human forgets to check, the pipeline blocks it for them. The only way through is to actually fix the problem.
The minimal version in GitHub Actions
You can start with a single .github/workflows/security.yml file in your repo.
name: security-gate
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run dependency audit
run: npm audit --audit-level=highJust this one step makes a PR with a high-severity vulnerability show a red X before it can be merged. Add secret scanning and a SAST (static analysis) step on top of this and your coverage widens further.
What should actually block
Block everything and nobody can ship. Set priorities.
- Always block: hardcoded secrets, Critical/High-severity CVEs
- Warn only: Low/Medium severity, style issues
- Tighten gradually: start with warnings only, then switch to blocking once the team is used to it
Ignored false positives defeat the gate
If a gate is wrong often enough, the team starts saying "another false positive" and finds ways around it — like habitually reaching for the skip-check flag. Keeping the false-positive rate low is what keeps a gate alive long-term. If you need exceptions, manage them as an explicit allowlist — that's far better than quietly turning the check off.
Connect a GitHub repository to WhiteHat Code and it automatically scans every push and PR, organizing results by severity. You can get started right away without building a gate yourself.