Best practice for running security scans

security

#1

Hi, I have a Rails application that I’ve setup and was wondering which API would be the proper one to use to run “post test” security scans? At the moment I just have them running as extra run steps at the end of the build (https://github.com/tomekr/cocktail-yeti/blob/master/.circleci/config.yml#L68-L76).

Would a best practice here be to put it into a separate job?

Thanks,
Tom


#2

I think this approach is fine. If you put it in an extra job then you have the additional overhead of needing to load/install all of your dependencies. Note that right now this step will only run if your tests pass.

If this is the desired state, then great!

Alternatively, if you always want to run these regardless of the previous step then you can use the when: always modifier to have this always run.