If you've followed along from Part 1, we have built five separate scanning workflows. This final part replaces them with a single unified pipeline — one YAML file, one run, everything in the right order. The pipeline structure The five individual workflow files are deleted and replaced with one: .github/workflows/devsecops-pipeline.yml name : DevSecOps Pipeline on : push : branches : [ " **" ] pull_request : branches : [ " **" ] jobs : secret-scan : name : Secret Scanning - Gitleaks runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 with : fetch-depth : 0 - name : Run Gitleaks uses : gitleaks/gitleaks-action@v2 env : GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }} sast : name : SAST - Bandit runs-on : ubuntu-latest needs : secret-scan steps : - uses : actions/checkout@v4 - uses : actions/setup-python@v5 with : python-version : ' 3.11' - name : Install Bandit run : pip install bandit - name : Run Bandit run : bandit -r app.py --severity-level high -f json -o bandit-report.json - name : Upload Report uses…