GitHub Code Scanning – Putting DevSecOps into Practice


If you’ve learn Maya’s publish on DevSecOps, shifting left, and GitOps you could be questioning “how do I implement these security principles in practice?” Let’s dive deeper with a sensible instance: integrating static evaluation into the developer workflow.

What is static evaluation, and why would you combine it into the developer workflow?

Static evaluation safety testing (SAST) analyzes the code you and your crew have written for vulnerabilities. Also generally known as code scanning, it really works by reworking your code into a queryable format after which on the lookout for weak patterns in it, like sending unsanitized person information to a database name. You can consider static evaluation instruments as souped-up linters (though doing so is doing them a disservice—modeling information flows throughout recordsdata and performance boundaries is tough).

Static evaluation safety testing tends to occur late within the growth cycle, as a part of a safety evaluation. Moving that testing into the primary developer workflow, so that each pull request is analyzed with static evaluation, is an ideal instance of “shifting security left.”

Why combine static evaluation into the developer workflow? For all the explanations specified by Maya’s publish on the DevSecOps strategy. Integrated nicely, it means safety points are discovered throughout on a regular basis code evaluation and might be mounted earlier than getting near manufacturing.

Challenges shifting static evaluation left, and the right way to remedy them

If integrating static evaluation into the developer workflow is such a terrific concept, why isn’t everybody doing it? Mainly as a result of it’s laborious, and since completed incorrect it may be dangerous. Let’s dig into a few of the challenges, and the right way to repair them.

To be built-in into the pull request workflow, a software must be quick. Introducing a gradual static evaluation software will increase the time your engineering crew spends ready for CI, which is a surefire method to burn developer productiveness. Context switching will go up as happiness and output go down. To keep away from that destiny (or the extra probably one which the undertaking to shift left will get aborted), monitor the influence of recent evaluation to your CI time rigorously, and transfer gradual queries or instruments out of the primary CI loop and onto a (common!) schedule.

Tools within the pull request workflow additionally should be exact. Introducing a loud static evaluation software is a fast method to prepare an engineering crew to disregard automated safety findings utterly. Industry finest follow is to focus on a false optimistic price of 10 p.c or decrease for outcomes proven in pull requests, however attaining such a low false optimistic price is tough. The answer? Don’t  shift all safety scanning left—noisier checks can proceed to be run and reviewed by the safety crew, whereas excessive-precision ones are moved into the developer workflow. A terrific static evaluation software also needs to make it straightforward to iteratively enhance its queries.

Finally, instruments built-in into the pull request workflow should be designed for builders to evaluation, not safety groups. Static evaluation safety testing can floor outcomes however, not less than for now, it takes people to repair them. Only new findings, attributable to the adjustments proposed within the pull request, must be proven within the context of a pull request evaluation. Each outcome must be described clearly sufficient for a developer new to safety to know why it might be essential. And if a result’s dismissed as a false optimistic it must be straightforward for the safety crew to later perceive why.

Defining static evaluation configuration as code

Maya’s publish additionally talked about the advantages of defining configuration as code, notably when saved in a Git repository. Let’s take static evaluation as a sensible instance.

With any static evaluation software, there’s configuration required. You have to specify when to run the evaluation (each push / each pull request / each day), the right way to analyze the undertaking (for compiled languages this typically requires particulars of the right way to construct it), and what evaluation to run (which queries, any paths to disregard, and so forth.).

A file dedicated to the repository being analyzed is the best place to retailer that configuration. It’s instantly seen for anybody with entry to the repository and has the identical model management and alter administration because the software program being scanned.

GitHub code scanning

With the entire above in thoughts, we’ve constructed GitHub code scanning that will help you shift safety left.

Code scanning places the developer expertise first at each step. The static evaluation engine at its core, CodeQL, is quick and highly effective—able to find actual safety points with out the noise. The queries it runs are exact, configurable, and are continuously being improved by the open supply neighborhood. Results are displayed in in-line pull request feedback, with detailed descriptions and remediation recommendation. All configuration occurs as code in a GitHub Actions workflow file.

Sign up for the beta to strive code scanning for your self.


Looking for easier methods to maintain your code safe? Stay tuned for upcoming posts on this sequence or try our safety e book.

Leave a Reply