Leading teams are realizing that periodical penetration testing and security audits is not enough when code is being shipped daily. Instead, these teams are using developer-centric tools to run automated security testing in a CI/CD pipeline. Join Zachary Conger as he walks through how to automate application JS security testing using GitHub actions.
This workshop has been presented at JSNation Live 2021, check out the latest edition of this JavaScript Conference.
Participants need a GitHub account, a GitHub repository, and a StackHawk account ready before joining the session.
To set up automated security testing in GitHub Actions, you need to fork a repository, set up a GitHub Actions workflow, and configure security features like SCA, SAST, and DAST for your application.
The session covers three types of security testing: Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST).
Dependabot is a tool integrated into GitHub Actions that helps in Software Composition Analysis (SCA) by checking the dependencies in your code for known vulnerabilities and automatically issuing pull requests to update them.
Static Application Security Testing (SAST) is a type of security testing that analyzes source code to find security vulnerabilities. In GitHub Actions, CodeQL and other tools like SonarQube and Checkmarx can be used for SAST.
Dynamic Application Security Testing (DAST) operates on running applications, probing services like APIs or web applications to detect vulnerabilities based on responses. It differs from SAST, which analyzes static source code instead of the running application.
To integrate StackHawk, add a StackHawk configuration file to your repository, set up the StackHawk API key as a secret in GitHub, and add a step in your GitHub Actions workflow to run the StackHawk scan.
GitHub Actions is a CI/CD system integrated into GitHub, allowing automated build, test, and deployment processes based on events like code pushes or pull requests.
In your GitHub Actions workflow file, you can specify the branch by setting the 'on.push.branches' attribute to trigger workflows only on changes to the specified branch.
GitHub Actions simplifies integrating security testing into your CI/CD pipeline, supports a wide range of security tools through the marketplace, and is event-driven, which helps automate testing based on code changes or specified conditions.
