Log in
JavaScript Conferences
TestJS Summit 2021TestJS Summit 2021
EN

JS Security Testing in GitHub Actions

Zachary Conger
Zachary Conger
StackHawk
Bookmark
Rate this content

Software development has changed - Frequent deployments, APIs, GraphQL, Cloud Architecture and CI/CD Automation are the norm. So why is security testing the same way it was a decade ago?

Leading teams are realizing that periodical penetration testing and security audits is not enough when code is being shipped daily. Instead, these teams are using developer-centric tools to run automated security testing in a CI/CD pipeline. Join Zachary Conger as he walks through how to automate application JS security testing using GitHub actions.

This workshop has been presented at TestJS Summit 2021, check out the latest edition of this JavaScript Conference.

FAQ

StackHawk is a Dynamic Application Security Testing (DAST) tool optimized for CI/CD environments. It leverages the power of the popular OWASP ZAP scanning engine to perform automated security testing of web applications. StackHawk scans your running applications for security vulnerabilities and provides detailed reports, facilitating easy integration into development workflows without requiring deep security expertise.

Security testing can be integrated into your CI/CD pipeline using tools like StackHawk for DAST, CodeQL for SAST, and Dependabot for SCA. These tools can be configured to run automatically during build processes, scanning for vulnerabilities and reporting issues. This integration helps catch security issues early in the development cycle, improving the security posture of your applications.

Three main types of security testing can be automated in your pipeline: Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). SCA checks for vulnerabilities in third-party libraries, SAST analyzes your source code for security flaws, and DAST tests your running applications to find vulnerabilities that only appear during execution.

Dependabot is a tool that scans your project dependencies for known vulnerabilities. When a vulnerability is detected, Dependabot can automatically create pull requests to update the dependency to a patched version. This helps maintain the security of your application by ensuring dependencies are up-to-date and free from vulnerabilities.

CodeQL is a code analysis engine used for Static Application Security Testing (SAST). It scans your codebase for security vulnerabilities by treating your code as data. CodeQL runs a suite of queries to identify potentially vulnerable patterns, helping developers to address security issues directly within the development workflow.

Yes, StackHawk supports authenticated scans, which are crucial for testing protected endpoints requiring authentication tokens or cookies. It can handle various authentication mechanisms, including form-based authentication, JSON Web Tokens (JWT), and session cookies, ensuring comprehensive security testing of all aspects of an application.

Zachary Conger
Zachary Conger
16 Nov, 2021
Video transcription, chapters and summary will be available after the recording is published.
Available in other languages: