Introduction:
The increasing frequency and severity of cyber attacks have made application security (appsec) a top priority for businesses worldwide. Appsec pipelines, which are automated workflows that scan code for security vulnerabilities, have emerged as a critical tool in addressing this challenge. In this blog post, I will walk you through a simple appsec pipeline I have built using GitHub Actions, a popular automation tool.
Pipeline Overview:
The appsec pipeline consists of four stages, each of which performs a specific security check:
- Dependency Scanning: In this stage, we use the DepScan Action to scan for known vulnerabilities in the application’s dependencies. This action is configured to scan the
package.jsonfile and report any high or medium severity vulnerabilities. - Image Scanning: The Trivy Action is used in this stage to scan the Docker image used by the application. The scan is performed using the file system scan method and includes all files in the current directory.
- Code Scanning: In this stage, we use the Super-Linter Action to perform code analysis and detect potential issues. This action uses multiple linters and checks for common issues such as syntax errors, code formatting issues, and security vulnerabilities. We set the validation level to high and critical to ensure that only high-priority issues are reported.
- Nuclei Scanning: In the final stage, we use the Nuclei Action to scan the application for known vulnerabilities and security issues. This action is configured to use the
cves/templates directory and report on high and critical severity vulnerabilities.
name: Security Scan
on:
push:
branches:
- master
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: DepScan Scan
uses: AppThreat/dep-scan-action@master
with:
target-file-path: "${{ github.workspace }}/package.json"
severities: "high,medium"
- name: Trivy Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
- name: Super-Linter
uses: github/super-linter@main
with:
commit_sha: ${{ github.sha }}
log_level: warn # or error
validation_level: high,critical
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: ${{ github.head_ref || github.ref }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ github.repository }}
templates: cves/
severity: high,critical
output-format: json || true
verbose: true || true
Pipeline Configuration:
The pipeline is triggered automatically whenever a code change is pushed to the master branch. Each stage runs in sequence, with the results of one stage passed as input to the next stage.
The output of each stage is saved to an output file, which is used to generate a detailed report on the pipeline’s performance. We can use this report to track issues and prioritize fixes based on their severity.
Conclusion:
Building an appsec pipeline can be challenging, but it is an essential step in ensuring the security and reliability of your applications. In this blog post, we have demonstrated a simple pipeline that can be used as a starting point for building a more comprehensive pipeline. By implementing automated security checks into your development process, you can identify and fix vulnerabilities early on, reducing the risk of a security breach and improving your application’s overall security posture.