Nathan made the case that security doesn't have to come at the cost of deliverables, and walks through how to build automated workflows that run quietly in the background until something genuinely needs your attention.
Overview
Security is too often treated as a trade-off against time and delivery. But it doesn't have to be. With the right automation in place, you can shift the bulk of the effort to an upfront investment, then let those workflows run in the background, alerting you only when something needs a human.
And if you do have an incident, that automation might just save you time, money, and reputation.
At DrupalSouth Wellington 2026, Nathan ter Bogt shared a deliberately practical approach aimed at Drupal developers and SysOps engineers.
What the talk covered
- The core concepts of Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST), what they are, what they solve, and where they fit in a modern Drupal delivery pipeline
- Real-world tooling including OWASP ZAP, Trivy, and dependency analysis, and how they complement rather than replace each other
- Wiring these tools into GitHub Actions so they run automatically on pull requests and on a schedule, without slowing developers down
- Configuring Trivy to scan source code, dependencies, and container images
- Automating ZAP scans against deployed environments
- Using Dependabot or Renovate to keep Drupal core, contrib modules, and container dependencies up to date with minimal noise
The throughline: low-touch, high-value security that fits the way teams already work.
Watch the talk
Want to go deeper?
For more on how we think about platform security at Skpr, see our posts on image signatures and Kyverno and log anomaly detection with Terraform and Slack alerts.
Questions or feedback? Get in touch with the Skpr team.