Automate WebApp Security Testing using GitHub Actions (from StackHawk team)

Rate this content
Bookmark

Software development has changed - Frequent deployments, APIs, GraphQL, Cloud Architecture and CI/CD Automation are the norm. So why is security testing the same way it was a decade ago?


Leading teams are realizing that periodical penetration testing and security audits is not enough when code is being shipped daily. Instead, these teams are using developer-centric tools to run automated security testing in a CI/CD pipeline. Join Zachary Conger as he walks through how to automate application JS security testing using GitHub actions.

This workshop has been presented at TestJS Summit 2022, check out the latest edition of this JavaScript Conference.

FAQ

The main focus of the Test.js workshop is to automate web app security testing using Java and React, and to integrate security testing into the CI/CD pipeline using GitHub Actions.

Participants can join the Discord channel by clicking on the provided Discord link, joining the October 2022 web app security testing channel, and giving a thumbs up to the welcome message in the general channel.

GitHub Actions is a CI/CD system built into GitHub that automates software workflows, including building, testing, and deploying code. In the workshop, it is used to automate the build and test routine for a Node.js application.

The workshop introduces several tools for security testing, including Dependabot for scanning dependencies, CodeQL for scanning code bases for vulnerabilities, and StackHawk, a DAST utility for dynamic application security testing.

Attendees can fork and set up the sample application by accessing a specific GitHub repository link provided during the workshop, clicking the 'Fork' button, and then following instructions to create necessary workflow files using GitHub Actions.

To configure Dependabot, attendees need to navigate to the Settings section of their forked repository, enable the dependency graph, dependency alerts, and Dependabot security updates under the 'Code Security and Analysis' settings.

The StackHawk scanner is configured by creating a stackhawk.yml file with specific application details and API keys. It is used to perform dynamic security testing against the running application in the CI/CD pipeline.

CodeQL is used in the workshop to scan the codebase for vulnerable patterns that could lead to security issues. It helps identify potential vulnerabilities directly in the source code, enhancing the security testing process.

Participants verify their actions and progress by committing changes to their GitHub repository, observing the execution of GitHub Actions workflows, and checking the results of security scans and tests through the GitHub interface and StackHawk platform.

Zachary Conger
Zachary Conger
87 min
27 Oct, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Welcome to the Test.js and DevSecOps workshops, where we automate web app security testing using Java, React, and StackHawk's DAST utility. We cover setting up GitHub Actions, scanning dependencies with Dependabot, using CodeQL for static analysis, and running StackHawk's DaaST scanner for runtime vulnerability testing. The workshops provide step-by-step instructions for setting up workflows, configuring security testing tools, and reviewing scan results to identify and fix vulnerabilities in the codebase.

1. Introduction to Test.js Workshop

Short description:

Welcome to Test.js workshop. We'll be automating web app security testing using Java and React. Fork a repo, submit questions, and subject the application to automated build and test routines using GitHub actions. Join our Discord server and the October 2022 web app security testing channel. Give a thumbs up in the general channel and the web app security testing channel to participate.

Welcome to Test.js workshop. Invitees and attendees, it's great to see everybody on here. I wanted to welcome you to our little show that we've got, what we're going to do today is. Automate web app security testing using Java and React. Is a web browser.

It helps to have a Discord, the Discord app, we're going to be doing a lot of chatting in discord, and I'll tell you about that in a minute. But what we're going to do basically is we're going to, we're going to fork a repo for a sample application, a node.js application. And what we're doing in this workshop is we're going to ask you guys to submit questions application, a node.js application. And we're going to subject that to an automated build and test routine using GitHub actions, which is GitHub's CICD system that's built into GitHub, and it's free for use for anybody for up to, like, 2000 minutes a month, something like that.

So we're going to build that application, and then we're going to subject it to a bunch of testing, a variety of different security tests. And again, all you really need is a web browser, because everything we're going to be doing is through the GitHub web interface so that we can create files, fork a repo, create file, the files that we need, run the test that we need using GitHub actions and so forth. What you need for this, really, the primary thing that you need to join us is to join our Discord. And to join the October 2022 web app security testing channel in Discord. So, I'm going to post that link here for everybody. So, if you can go to the first link that I provide, the discord.gg.xnmb.. Click that link and you should join our Discord server. And then from there, in the general channel, just give a thumbs up to our welcome message. That'll allow you to see the rest of the channels. Then once you're there, join that October 2022 web app security testing channel. And then when you get into that web app security testing channel, give us a thumbs up there too, so that we know that you're in there.

2. Getting Started with the Workshop

Short description:

We already have a question. So, it seems that I cannot check out the repos. Don't worry about that. You can just look at the repo through our website. When you get to this workshop GitHub actions GitHub repo, all you really need from there is this readme, and you can click on links to get to stuff in there. The first thing we'll be doing when we create the app is we're going to fork another repo. Looks like we've got folks joining in on the discord server. So, here's the workbook, or the guide book for the workshop that we'll be going through. If any of this stuff is not working, you should still be able to follow along. Again, really all you need is a web browser and access to GitHub, so a GitHub account. Feel free to drop questions and help each other out in the Discord chat. I'll just begin with a slide.

We already have a question. This is awesome. So, it seems that I cannot check out the repos. Don't worry about that. You can just look at the repo through our website. We're just following along in the readme that's in there. So, I'll show you what that looks like. When you get to this workshop GitHub actions GitHub repo, all you really need from there is this readme, and you can click on links to get to stuff in there.

The first thing we'll be doing when we create the app is we're going to fork another repo. All right. Looks like we've got folks joining in on the discord server. A GitHub link in the discussion panel window. I think we mean this window. So, let me give you this link. So, here's the workbook, or the guide book for the workshop that we'll be going through. If any of this stuff is not working, you should still be able to follow along. Again, really all you need is a web browser and access to GitHub, so a GitHub account. I'm going to go ahead and begin. Feel free to drop questions and help each other out in the Discord chat. And Mimi, if you can help folks along who are running into trouble, that would be awesome. I'll just begin with a slide. Thank you.

QnA

Watch more workshops on topic

Master JavaScript Patterns
JSNation 2024JSNation 2024
145 min
Master JavaScript Patterns
Featured Workshop
Adrian Hajdin
Adrian Hajdin
During this workshop, participants will review the essential JavaScript patterns that every developer should know. Through hands-on exercises, real-world examples, and interactive discussions, attendees will deepen their understanding of best practices for organizing code, solving common challenges, and designing scalable architectures. By the end of the workshop, participants will gain newfound confidence in their ability to write high-quality JavaScript code that stands the test of time.
Points Covered:
1. Introduction to JavaScript Patterns2. Foundational Patterns3. Object Creation Patterns4. Behavioral Patterns5. Architectural Patterns6. Hands-On Exercises and Case Studies
How It Will Help Developers:
- Gain a deep understanding of JavaScript patterns and their applications in real-world scenarios- Learn best practices for organizing code, solving common challenges, and designing scalable architectures- Enhance problem-solving skills and code readability- Improve collaboration and communication within development teams- Accelerate career growth and opportunities for advancement in the software industry
Integrating LangChain with JavaScript for Web Developers
React Summit 2024React Summit 2024
92 min
Integrating LangChain with JavaScript for Web Developers
Featured Workshop
Vivek Nayyar
Vivek Nayyar
Dive into the world of AI with our interactive workshop designed specifically for web developers. "Hands-On AI: Integrating LangChain with JavaScript for Web Developers" offers a unique opportunity to bridge the gap between AI and web development. Despite the prominence of Python in AI development, the vast potential of JavaScript remains largely untapped. This workshop aims to change that.Throughout this hands-on session, participants will learn how to leverage LangChain—a tool designed to make large language models more accessible and useful—to build dynamic AI agents directly within JavaScript environments. This approach opens up new possibilities for enhancing web applications with intelligent features, from automated customer support to content generation and beyond.We'll start with the basics of LangChain and AI models, ensuring a solid foundation even for those new to AI. From there, we'll dive into practical exercises that demonstrate how to integrate these technologies into real-world JavaScript projects. Participants will work through examples, facing and overcoming the challenges of making AI work seamlessly on the web.This workshop is more than just a learning experience; it's a chance to be at the forefront of an emerging field. By the end, attendees will not only have gained valuable skills but also created AI-enhanced features they can take back to their projects or workplaces.Whether you're a seasoned web developer curious about AI or looking to expand your skillset into new and exciting areas, "Hands-On AI: Integrating LangChain with JavaScript for Web Developers" is your gateway to the future of web development. Join us to unlock the potential of AI in your web projects, making them smarter, more interactive, and more engaging for users.
Using CodeMirror to Build a JavaScript Editor with Linting and AutoComplete
React Day Berlin 2022React Day Berlin 2022
86 min
Using CodeMirror to Build a JavaScript Editor with Linting and AutoComplete
Top Content
WorkshopFree
Hussien Khayoon
Kahvi Patel
2 authors
Using a library might seem easy at first glance, but how do you choose the right library? How do you upgrade an existing one? And how do you wade through the documentation to find what you want?
In this workshop, we’ll discuss all these finer points while going through a general example of building a code editor using CodeMirror in React. All while sharing some of the nuances our team learned about using this library and some problems we encountered.
API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
Testing Web Applications Using Cypress
TestJS Summit - January, 2021TestJS Summit - January, 2021
173 min
Testing Web Applications Using Cypress
WorkshopFree
Gleb Bahmutov
Gleb Bahmutov
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.
React Server Components Unleashed: A Deep Dive into Next-Gen Web Development
React Day Berlin 2023React Day Berlin 2023
149 min
React Server Components Unleashed: A Deep Dive into Next-Gen Web Development
Workshop
Maurice de Beijer
Maurice de Beijer
Get ready to supercharge your web development skills with React Server Components! In this immersive, 3-hour workshop, we'll unlock the full potential of this revolutionary technology and explore how it's transforming the way developers build lightning-fast, efficient web applications.
Join us as we delve into the exciting world of React Server Components, which seamlessly blend server-side rendering with client-side interactivity for unparalleled performance and user experience. You'll gain hands-on experience through practical exercises, real-world examples, and expert guidance on how to harness the power of Server Components in your own projects.
Throughout the workshop, we'll cover essential topics, including:- Understanding the differences between Server and Client Components- Implementing Server Components to optimize data fetching and reduce JavaScript bundle size- Integrating Server and Client Components for a seamless user experience- Strategies for effectively passing data between components and managing state- Tips and best practices for maximizing the performance benefits of React Server Components

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Scaling Up with Remix and Micro Frontends
Remix Conf Europe 2022Remix Conf Europe 2022
23 min
Scaling Up with Remix and Micro Frontends
Top Content
This talk discusses the usage of Microfrontends in Remix and introduces the Tiny Frontend library. Kazoo, a used car buying platform, follows a domain-driven design approach and encountered issues with granular slicing. Tiny Frontend aims to solve the slicing problem and promotes type safety and compatibility of shared dependencies. The speaker demonstrates how Tiny Frontend works with server-side rendering and how Remix can consume and update components without redeploying the app. The talk also explores the usage of micro frontends and the future support for Webpack Module Federation in Remix.
Full Stack Components
Remix Conf Europe 2022Remix Conf Europe 2022
37 min
Full Stack Components
Top Content
RemixConf EU discussed full stack components and their benefits, such as marrying the backend and UI in the same file. The talk demonstrated the implementation of a combo box with search functionality using Remix and the Downshift library. It also highlighted the ease of creating resource routes in Remix and the importance of code organization and maintainability in full stack components. The speaker expressed gratitude towards the audience and discussed the future of Remix, including its acquisition by Shopify and the potential for collaboration with Hydrogen.
Debugging JS
React Summit 2023React Summit 2023
24 min
Debugging JS
Top Content
Watch video: Debugging JS
Debugging JavaScript is a crucial skill that is often overlooked in the industry. It is important to understand the problem, reproduce the issue, and identify the root cause. Having a variety of debugging tools and techniques, such as console methods and graphical debuggers, is beneficial. Replay is a time-traveling debugger for JavaScript that allows users to record and inspect bugs. It works with Redux, plain React, and even minified code with the help of source maps.
Making JavaScript on WebAssembly Fast
JSNation Live 2021JSNation Live 2021
29 min
Making JavaScript on WebAssembly Fast
Top Content
WebAssembly enables optimizing JavaScript performance for different environments by deploying the JavaScript engine as a portable WebAssembly module. By making JavaScript on WebAssembly fast, instances can be created for each request, reducing latency and security risks. Initialization and runtime phases can be improved with tools like Wiser and snapshotting, resulting in faster startup times. Optimizing JavaScript performance in WebAssembly can be achieved through techniques like ahead-of-time compilation and inline caching. WebAssembly usage is growing outside the web, offering benefits like isolation and portability. Build sizes and snapshotting in WebAssembly depend on the application, and more information can be found on the Mozilla Hacks website and Bike Reliance site.
Automating All the Code & Testing Things with GitHub Actions
React Advanced Conference 2021React Advanced Conference 2021
19 min
Automating All the Code & Testing Things with GitHub Actions
Top Content
We will learn how to automate code and testing with GitHub Actions, including linting, formatting, testing, and deployments. Automating deployments with scripts and Git hooks can help avoid mistakes. Popular CI-CD frameworks like Jenkins offer powerful orchestration but can be challenging to work with. GitHub Actions are flexible and approachable, allowing for environment setup, testing, deployment, and custom actions. A custom AppleTools Eyes GitHub action simplifies visual testing. Other examples include automating content reminders for sharing old content and tutorials.
Webpack in 5 Years?
JSNation 2022JSNation 2022
26 min
Webpack in 5 Years?
Top Content
In the last 10 years, Webpack has shaped the way we develop web applications by introducing code splitting, co-locating style sheets and assets with JavaScript modules, and enabling bundling for server-side processing. Webpack's flexibility and large plugin system have also contributed to innovation in the ecosystem. The initial configuration for Webpack can be overwhelming, but it is necessary due to the complexity of modern web applications. In larger scale applications, there are performance problems in Webpack due to issues with garbage collection, leveraging multiple CPUs, and architectural limitations. Fixing problems in Webpack has trade-offs, but a rewrite could optimize architecture and fix performance issues.