AUTOMATED BASELINE REPORT GENERATION AND NOISE REDUCTION IN CI/CD ENVIRONMENTS USING UNIVERSAL SECURITY SCANNERS

Abstract

This article addresses the pressing issue of excessive false positives that emerge during static vulnerability analysis in continuous integration and delivery (CI/CD) pipelines. Each time a container image is rescanned, security tools repeatedly detect previously known or outdated vulnerabilities. This leads to a significant amount

of informational noise, which burdens security engineers and delays the response to real threats. To solve this problem, the article proposes a method for storing an initial vulnerability report—known as a "baseline” generated after the first scan of a container. Future scans are then automatically compared against this baseline, allowing the system to isolate and report only those vulnerabilities that appeared after code changes or component updates. This significantly reduces redundancy and prevents the accumulation of outdated alerts that do not require immediate attention. The proposed method has been implemented using GitHub Actions as part of an automated security pipeline. The implementation includes steps for building the container image, generating or updating the baseline report, performing differential analysis, and generating final summary reports for developers. In practical usage, this approach has led to a substantial reduction in non-informative vulnerability notifications without sacrificing the accuracy or relevance of the scans. As a result, security processes become more efficient, and engineering teams can focus on addressing actual risks. Moreover, the approach is universal and can be adapted to other CI/CD platforms or integrated with alternative security scanning tools. It enhances DevSecOps practices by providing a cleaner, more actionable flow of security information, reducing the cognitive load on security personnel, and improving the precision of threat response and mitigation efforts.

Keywords: CI/CD, DevSecOps, baseline report, false positives, vulnerability scanning, Trivy, GitHub Actions, security automation, differential analysis, software supply chain security.