Back to Blog Archive
DevOps2026-06-181 min read
Kubernetes CI/CD: Optimizing GitHub Actions and Container Security Scanning
A comprehensive guide on building secure Docker containers, scanning for image vulnerabilities, and deploying automatically to Kubernetes clusters using GitHub Actions.
DevOpsKubernetesDockerGitHub ActionsSecurity
Modern DevOps workflows require rapid compilation and deployment cycles without compromising application security. Integrating automated static scanning and vulnerability checkers directly into GitHub Actions ensures that only verified, secure code enters production.
1. Multi-Stage Docker Builds
By segregating compile environments from target deployment layers, we minimize the attack surface of containerized applications.
# Build Stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Production Stage
FROM node:20-alpine AS runner
WORKDIR /app
COPY --from=builder /app/package*.json ./
COPY --from=builder /app/.next ./.next
COPY --from=builder /app/public ./public
COPY --from=builder /app/node_modules ./node_modules
ENV NODE_ENV=production
EXPOSE 3000
CMD ["npm", "start"]
2. GitHub Actions Deployment Pipeline
Using GitHub Actions, we orchestrate:
- Static analysis checks (
eslint). - Vulnerability image check (
Trivy). - Build & push to Registry (Docker Hub or AWS ECR).
- Apply Kubernetes deployment rollout:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
run: docker build -t ajitdev01/nextjs-portfolio:latest .
- name: Run Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ajitdev01/nextjs-portfolio:latest'
exit-code: '1'
severity: 'CRITICAL'
- name: Deploy to K8s
run: |
kubectl apply -f k8s/deployment.yml
kubectl rollout status deployment/nextjs-portfolio