Log in
React Conferences
React Summit 2022React Summit 2022
EN

JS Security Testing in GitHub Actions

Brandon Ward
Brandon Ward
StackHawk
This ad is not shown to multipass and full ticket holders
React Advanced
React Advanced 2025
November 27 - 1, 2025
London, UK & Online
We will be diving deep
Learn More
In partnership with Focus Reactive
Upcoming event
React Advanced 2025
React Advanced 2025
November 27 - 1, 2025. London, UK & Online
Learn more
Bookmark
Rate this content

This workshop will focus on automating software composition analysis, static application security testing and dynamic application security testing using GitHub Actions. After a brief introduction covering the different types of application security and the importance of finding security vulnerabilities before they hit production, we'll dive into a hands-on session where users will add three different security testing tool to their build pipelines.

This workshop has been presented at React Summit 2022, check out the latest edition of this React Conference.

FAQ

To follow along with the JS security testing in GitHub Actions workshop, you need a GitHub account and a web browser. All activities will be conducted in the browser.

To join the Discord server for the workshop, follow the directions posted in the Zoom chat by the workshop organizers. They will provide a link to the Discord server and instructions for joining.

Dependabot is used in GitHub Actions to automatically scan your project's dependencies for known vulnerabilities. It raises pull requests for fixes when vulnerabilities are found, helping you keep your dependencies secure.

The workshop covers three types of security testing: Software Composition Analysis (SCA) using Dependabot, Static Application Security Testing (SAST) using CodeQL, and Dynamic Application Security Testing (DAST) using StackHawk.

To enable Dependabot alerts and security updates, go to your GitHub repository's settings, navigate to 'Code security and analysis,' and enable 'Dependency graph,' 'Dependabot alerts,' and 'Dependabot security updates.'

CodeQL is a Static Application Security Testing (SAST) tool used to scan your code for patterns that might indicate vulnerabilities. In the workshop, it is configured as a GitHub Action to run on code pushes, pull requests, and on a weekly schedule.

StackHawk is a Dynamic Application Security Testing (DAST) tool that tests running applications by sending web traffic and analyzing responses for vulnerabilities. It integrates with GitHub Actions to automate security scans as part of your CI/CD pipeline.

To add StackHawk to your GitHub Actions workflow, create a StackHawk YAML configuration file, store your StackHawk API key as a GitHub secret, and update your GitHub Actions workflow file to include steps to start your application and run the StackHawk scan.

Yes, you can configure your GitHub Actions workflow to fail on high-risk vulnerabilities by adding a 'hawkFailureThreshold: HIGH' setting to your StackHawk YAML file. This will cause the workflow to fail if high-risk vulnerabilities are detected.

If you encounter issues with the workshop steps, check the Discord server for help from the organizers and other participants. You can also review the detailed instructions and troubleshooting tips provided in the workshop material.

Brandon Ward
Brandon Ward
01 Jul, 2022
Video transcription, chapters and summary will be available after the recording is published.
Available in other languages: