Log in
JavaScript Conferences
Node Congress 2022Node Congress 2022
EN

JS Security Testing in GitHub Actions

Zachary Conger
Zachary Conger
StackHawk
Rate this content
Bookmark

Software development has changed - Frequent deployments, APIs, GraphQL, Cloud Architecture and CI/CD Automation are the norm. So why is security testing the same way it was a decade ago?


Leading teams are realizing that periodical penetration testing and security audits is not enough when code is being shipped daily. Instead, these teams are using developer-centric tools to run automated security testing in a CI/CD pipeline. Join Zachary Conger as he walks through how to automate application JS security testing using GitHub actions.

This workshop has been presented at Node Congress 2022, check out the latest edition of this JavaScript Conference.

FAQ

JS security testing involves identifying and fixing security vulnerabilities in JavaScript applications. It typically includes static analysis, dynamic analysis, and software composition analysis to ensure the code is secure.

GitHub Actions is a CI/CD (Continuous Integration/Continuous Deployment) system built into your GitHub repository. It allows you to automate workflows, such as building and testing code, based on various triggers like pull requests or commits.

Participants should have access to the Discord server for communication and a GitHub account. It is also recommended to check out the workshop guidebook available at GitHub.com/caca/workshop-GitHub-actions.

You can ask questions in the chat during the workshop. Nick, who is in the chat, is very helpful with any problems you might encounter.

StackHawk is a company that develops a DAST (Dynamic Application Security Testing) scanner called HawkScan. HawkScan scans running applications for vulnerabilities and is based on the open-source OWASP ZAP utility.

The three types of security testing discussed are Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST).

Dependabot is a tool that performs Software Composition Analysis (SCA) by scanning your application's dependencies for known vulnerabilities. It can automatically issue pull requests to update vulnerable dependencies.

CodeQL is a Static Application Security Testing (SAST) tool that analyzes your codebase for vulnerable patterns. It can identify issues like SQL injection and cross-site scripting by examining the code itself.

StackHawk's HawkScan can be integrated into CI/CD pipelines by adding specific steps in your workflow files. It runs dynamic security tests on your running application and sends results to the StackHawk platform for analysis.

GitHub Actions allows you to automate workflows directly within your GitHub repository. It supports event-driven triggers, has built-in secrets management, and offers 2,000 free minutes per month for personal accounts, making it a powerful and cost-effective CI/CD tool.

Zachary Conger
Zachary Conger
14 Feb, 2022
Video transcription, chapters and summary will be available after the recording is published.
Available in other languages: