Build An Open Source AppSec Pipeline Using Github Actions

Github Actions was launched last November and it has taken a little while to mature but it has recently got to the point where you can build a fairly robust application security pipeline using Github actions.

In most of my projects, I can run a Linter, an SCA, a SAST and DAST tool aginst my code daily using open source software I have used for years. In this blog post, I will lay out the actions I am using and that are worth exploring.

Github Actions Basics

Here are just some essential links and blog posts I have used over the last few months that I have found useful.

Lint

A linter is a tool that analyzes source code and flags errors, bugs, stylistic issues, and suspicious constructs. Often these are run inside of an IDE but it never hurts to have a centralized linter, especially when multiple people are contributing to a repository.

Github has the best linter I have come across called SUPER-LITNER which I use on all my repositories.

SCA

Software Composition Analysis (SCA) tools attempt to detect publicly disclosed vulnerabilities contained within a project’s dependencies. The tool you use will depend on what language you write in but Bundler-Audit and many other tools are available in the Github Actions Marketplace.

SAST

Static application security testing (SAST) are tools like a linter that check source code for possible vulnerabilities and weaknesses. One again which SAST tool you use will depend on what language you right in but since I mostly write in ruby or python I use Brakeman and PyCharm.

There is a new SAST called App-Threat which is trying to be the Super-Linter of SAST That might be worth looking at.

DAST

Dynamic application security testing (DAST) are tools that scan a live website for vulnerabilities and while running these from a GitHub action seems counter-intuitive the fact the OWASP ZAP makes this so easy it is worth doing daily just as a sanity check against your other DAST scanners.

Here is a good blog post on ZAP Actions and here are the baseline and full scan.

Closing

Are there any Github Actions I should using? Let me know on twitter at @jgamblin.

Site Footer