Setting Up Automated Security Vulnerability Scanning in CI/CD
Designed for DevOps engineers in mid-sized SaaS companies who are responsible for maintaining continuous integration and continuous deployment pipelines, but have not yet integrated automated security vulnerability scanning. to spark real collaboration and high-energy learning.
A 90-minute virtual workshop with breakout capabilities. Participants are comfortable with CI/CD but overwhelmed by the complexity and perceived workload of adding security scanning. Their pipelines often lack visibility into security risks, and they worry about false positives delaying deployments.
Security Scan Show-and-Tell
Kick off with a live demo: run a simple public repo through Snyk’s CLI tool and show the results, including unexpected findings like outdated libraries. Participants are invited to predict what might be flagged before the scan starts. Payoff: demystifies the process and sparks curiosity about their own projects.
Tap to view the full activity.
Why this works
Seeing real output and making predictions activates curiosity and primes brains for learning, lowering barriers for those intimidated by security tools.
False Positive Myth Bust
Present two actual scan results: one is a true critical issue, the other a notorious false positive (e.g., flagged dev dependency). Ask participants to vote on which is more urgent and why. Reveal common misconceptions and discuss how scanners can be tuned.
Tap to view the full activity.
Why this works
Confronting misconceptions helps learners recalibrate mental models, encouraging nuanced understanding rather than avoidance of security scanning.
Quickfire ‘Scan or Not?’ Poll
Present a list of five common pipeline steps (e.g., npm install, docker build, code deploy, unit test, config push). For each, participants respond in chat or a poll: ‘Should you scan here?’ Immediate, low-stakes, and gets everyone thinking without pressure.
Tap to view the full activity.
Why this works
Low-pressure engagement lowers social risk, letting learners test knowledge and see the diversity of thinking in the group.
Pipeline Poker Challenge
Break the group into small teams. Each team gets a stack of scenario ‘cards’—pipeline stages, scan results, and possible actions. They race to build the safest, fastest pipeline by stacking cards in the correct sequence. Winner shares their reasoning, and others debate.
Tap to view the full activity.
Why this works
Fast-paced, competitive activities energize the room and cement practical steps through playful experimentation.
Real Breach Postmortem
Share a concise case study: a DevOps team missed a critical vulnerability because scans weren’t automated. Describe the business impact (downtime, customer trust, remediation cost). Invite teams to brainstorm one fix that would have prevented the breach, using rapid breakout rooms.
Tap to view the full activity.
Why this works
Applying concepts to high-stakes, real-world dilemmas deepens motivation and makes abstract risks tangible.
Personal Pipeline Commitment
Wrap with individual reflection: each participant writes down one concrete change they’ll make to their pipeline next week (e.g., enable a scanner, tune alerts, update dependencies). Optionally, share in chat or pair up for accountability.
Tap to view the full activity.
Why this works
Active reflection and commitment drive transfer of learning, turning workshop ideas into real action.
Sign up to unlock 3 more activities
Get the full pack, facilitation flow, and more ready-to-run ideas.