Github Actions was launched last November and it has taken a little while to mature but it has recently got to the point where you can build a fairly robust application security pipeline using Github actions.
In most of my projects, I can run a Linter, an SCA, a SAST and DAST tool aginst my code daily using open source software I have used for years. In this blog post, I will lay out the actions I am using and that are worth exploring.
Github Actions Basics
Here are just some essential links and blog posts I have used over the last few months that I have found useful.
- Github Actions Documentation
- Scheduled Github Actions
- Workflow Triggers
- Github Actions Marketplace
- Getting started with GitHub Actions
- Security as Code: Implementing lint and gosec for Golang
A linter is a tool that analyzes source code and flags errors, bugs, stylistic issues, and suspicious constructs. Often these are run inside of an IDE but it never hurts to have a centralized linter, especially when multiple people are contributing to a repository.
Github has the best linter I have come across called SUPER-LITNER which I use on all my repositories.
Software Composition Analysis (SCA) tools attempt to detect publicly disclosed vulnerabilities contained within a project’s dependencies. The tool you use will depend on what language you write in but Bundler-Audit and many other tools are available in the Github Actions Marketplace.
Static application security testing (SAST) are tools like a linter that check source code for possible vulnerabilities and weaknesses. One again which SAST tool you use will depend on what language you right in but since I mostly write in ruby or python I use Brakeman and PyCharm.
There is a new SAST called App-Threat which is trying to be the Super-Linter of SAST That might be worth looking at.
Dynamic application security testing (DAST) are tools that scan a live website for vulnerabilities and while running these from a GitHub action seems counter-intuitive the fact the OWASP ZAP makes this so easy it is worth doing daily just as a sanity check against your other DAST scanners.
Here is a good blog post on ZAP Actions and here are the baseline and full scan.
Are there any Github Actions I should using? Let me know on twitter at @jgamblin.