JS Security Testing in GitHub Actions

Rate this content
Bookmark

This workshop will focus on automating software composition analysis, static application security testing and dynamic application security testing using GitHub Actions. After a brief introduction covering the different types of application security and the importance of finding security vulnerabilities before they hit production, we'll dive into a hands-on session where users will add three different security testing tool to their build pipelines.

This workshop has been presented at JSNation 2022, check out the latest edition of this JavaScript Conference.

FAQ

Zachary Conger is a Senior DevOps Engineer at StackHawk with extensive experience as a developer, automator, tester, observer, and operator of IT systems. He is also a musician, cyclist, and photographer.

StackHawk helps developers find, triage, and fix application security bugs before deploying to production. It integrates into CI/CD pipelines to automate security testing.

The workshop will use GitHub Actions, Dependabot, CodeQL, and StackHawk to automate the build and security tests of a Node.js application.

To enable Dependabot, go to the Settings of your GitHub repository, then navigate to Code security and analysis. Enable Dependency graph, Dependabot alerts, and Dependabot security updates.

CodeQL is a static application security testing (SAST) tool provided by GitHub. It scans your code for patterns that may cause vulnerabilities and is free for public repositories.

Download the StackHawk configuration file from the StackHawk platform, open it in a text editor, and then add this file to the root of your repository as StackHawk.yaml.

Setting a failure threshold in StackHawk allows you to specify the severity of issues that will cause the build to fail. This ensures that critical vulnerabilities are addressed before deployment.

Yes, StackHawk can scan APIs. It supports OpenAPI specs, SOAP WSDL configurations, and GraphQL introspection endpoints to discover API routes and supported queries.

You can run StackHawk locally using its CLI or as a Docker container. The CLI can be installed via Homebrew for Mac, or you can use Docker commands to run the scanner.

StackHawk offers integrations with Slack, MS Teams, Jira, and various CI/CD platforms. It also has a partnership with Snyk to correlate DAST and SAST results for more comprehensive security insights.

Zachary Conger
Zachary Conger
101 min
04 Jul, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Today's Workshop focuses on automating build and security tests for a Node.js application using tools like Stackhawk, Dependabot, CodeQL, and GitHub Actions. GitHub Actions is a powerful CI platform with a marketplace of Actions and built-in secrets management. CodeQL is a SAST utility that scans code for vulnerabilities, while Stackhawk is a dynamic application security testing tool. The Workshop covers enabling code security and analysis, configuring StackHawk, and running scans locally. Overall, the Workshop provides practical guidance for integrating security into software development pipelines.

1. Introduction to Workshop and Agenda

Short description:

My name is Zachary Conger, a Senior DevOps Engineer at StackHawk. Today, we'll automate the build and security tests for a Node.js application. We'll use various tools like Stackhawk, Dependabot, CodeQL, and GitHub actions to ensure application security.

My name is Zachary Conger. I am a Senior DevOps Engineer here at StackHawk, and I've been a developer and an automator, tester, observer, also operator of IT systems for many years Also a musician, cyclist, and photographer, and I love doing these workshops. I love seeing people's reactions to the tools and how easy it can be to add security to your pipelines.

The bird we are repping today is Stackhawk. Stackhawk helps developers find, triage, and fix application security bugs before deploying to production. It is one of the tools that we'll be using today to automate security in your pipeline, but certainly not the only tool. In fact, we're going to be starting with a couple of other ones.

Our agenda today. We're going to automate our build of a Node.js application. We're going to automate security tests for that application as well. We're going to use all you need is a web browser and Discord. And what we're going to do is we're going to take a sample application, we're going to bring it into GitHub. We're going to fork that application. We're going to use GitHub actions to automatically build that application. Then we're going to add Dependabot to scan the app's dependencies for known vulnerabilities. Then we'll add CodeQL to scan the code base and look for vulnerable patterns in the code base. And then we're finally going to add StackHawk to dynamically scan the running application for vulnerabilities all within the build pipeline using GitHub actions.

2. Introduction to GitHub Actions

Short description:

GitHub Actions is a powerful continuous integration platform built into GitHub. It's easy to get started by adding a GitHub Actions configuration file. It uses YAML configuration language and has a marketplace of Actions. It's event-driven and has a built-in secrets management platform. GitHub Actions provide 2,000 free minutes per month. Let's begin with GitHub Actions by forking the vulnerable node express repo to your own repository.

ZACHARY LOTOS. We got a question in the discord, which I'm thrilled about. Should we trust the repo locally in VS Code or should I just use GitHub.com? DREW REINHARDT. Yes, you can trust this application. It's okay to bring it down. You should fork it to your own repo. Yes, you can also use it in GitHub code spaces. We're doing all of this work in the browser only to make it easy for attendees to follow along to minimize any unpredictable outcomes. I encourage you to follow along in the browser, but if you want to bring it down to your workstation or GitHub code spaces, that's fine too. If you're like, what is Zach talking about? We will go over all of that in just a second. So no worries if you're not as familiar with GitHub, we'll be covering all that. Somebody has jumped ahead in the workshop guidebook. An overachiever. All right, so getting started.

The first thing that we're going to work on is GitHub Actions. And GitHub Actions is a powerful continuous integration platform that's built right into GitHub. So it's super handy to use. It's super easy to get started. If you have a repo in GitHub, you can light this thing up just by adding a GitHub Actions configuration file. It will read that file and start building on it, if it finds it, as long as you've got GitHub Actions enabled in your repository and enabled for your organization, which it is by default. So by default, this just works. If you add a configuration file for it, some organizations will turn it off. And sometimes if you fork an application that already has GitHub Actions workflows defined, it will disable actions just so you don't mistakenly do a builds. It's a powerful CI system built into GitHub and uses YAML configuration language and it's got a huge marketplace of something called Actions, the basis of the name. The Actions are like Jenkins plugins. They are little pieces of functionality that are made really accessible by so you can add functions for various things with just a couple of lines of YAML. Everything that we do today, I think, has an action associated with it. CodeQL does, StackHawk does. It's an event driven platform, so it's driven off of events like I pushed some code to GitHub to my repo or I opened a PR or you can send other kinds of webhooks to kick off events. You can also have one workflow kick off another workflow, so it's really, really flexible and you can build complicated pipelines if you want to, but it's very easy to get started with it as well. There's also a built-in secrets management platform in GitHub Actions so that if you have any secrets that you need and we'll have at least one example of a secret that we'll need to inject into our pipeline, you can stash that in the secrets management platform in GitHub so that you don't have to put those secrets into your code base and into your GitHub repo, which is generally a no-no. You don't want to put secrets in your Git repos. It's also really accessible in that they provide 2,000 free minutes per month. Last time I checked, which was a while ago, they may have changed that, but that's a lot of time. That's a lot of build time to work on your projects. I use it for personal projects all the time. Very handy platform, easy to get going, easy to start. Let's go ahead and begin with GitHub actions actually. So I want to refer over to the, let me see, yeah, okay. So what I'd like to do is direct you to, if you have the guide book open, we're going to start with step one, continuous integration workflows and GitHub actions. I will provide a link to that very spot. And you can read from here what we're going to do. So first step we are going to fork this application repo, the vulnerable node express repo. What this is, is just a simple test app that we often use to test various security tools against. What we're going to do is just fork it to your own repository. So hit this fork button here up at the top right. It should prompt you for a good default repository name within your own organization. Give it a description if you like. It's just a vulnerable node express application. Create that fork.

QnA