Nicolas Engel

Idea(ls) on cybersecurity

DevSecOps – Implementation of a security code scanner on Github

The introduction to DevSecOps that I had written in my previous article, had highlighted the need for collaboration between the developers and the solution ops so that the security requirements are followed in a sustainable way. Indeed, the DevOps logic has shortened the delivery cycles in order to avoid the tunnel effect, a period during which the technical design no longer allows users to have visibility of the solution delivery. The resulting acceleration of application deliveries, combined with the increase in cyberattacks, results in the need to automate security processes. Among these, the code security review is one of the keys to a successful DevSecOps approach.

SAST vs DAST

The industrialization of development languages and associated frameworks have seen a multitude of tools develop to scan code for security. These SAST (Static Application Security Testing) tools analyze the source code of an application or service to identify potential security vulnerabilities resulting from insecure development practices.

Best practice is to use SAST tools during the coding and/or testing phase to identify vulnerabilities early in the development process. Such tools can certainly generate false positives, but the results are crucial in assessing the security of the application.

As their name suggests, the analysis of these tools is above all static. It could be dynamic by creating end-to-end test scenarios, in particular to test webservices. The use of DAST (Dynamic Application Security Testing) is comparable but the need is different and requires greater maturity of the teams in terms of security. This is particularly true for teams performing application testing, who often have to go into the code to write dynamic tests that exploit the full potential of DAST solutions. The challenge here is not to make a comparison of each type of solution. For simplicity, this article focuses on SAST solutions.

Panel of possible solutions

How to choose an efficient SAST solution adapted to your needs?

It is first necessary to understand the DevOps process within the company to associate the security component with it. The code hosting tools, which are sometimes also used to deploy the application, greatly condition the uses. Let us mention here the Github platform acquired in 2018 by Microsoft and constituting a de facto industry standard for hosting application code, its analysis and its collaboration tools offered to developers.

On Github, multiple SASTs exist for free, freemium (i.e. partially paid) or fully paid.

SolutionURL
 AppThreathttps://github.com/AppThreat/sast-scan
Betterscanhttps://github.com/marcinguy/betterscan-ce
HCL App Scanhttps://github.com/marketplace/actions/hcl-appscan-codesweep
Horusechttps://github.com/ZupIT/horusec
ShiftLeftSecurityhttps://github.com/ShiftLeftSecurity/sast-scan
SemGrephttps://github.com/returntocorp/semgrep

The table above is not comprehensive but constitutes a representative panel of solutions in 2022.

Among all these solutions that I have been able to test, one solution stands out due to its versatility, the quality of its reports and the fact that it is free in November 2022. This is ShiftLeftSecurity.

Focus on ShiftLeftSecurity

Open-source solution under GPL v3.0, ShiftleftSecurity has many advantages including:

Launching a scanner from the command line is easy:

sh <(curl https://slscan.sh)

The command above just invokes the docker run command below.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/scan scan --build

The solution using Docker is therefore modular and scalable. The results are also well formatted. Below is an example of a scan result to get a better idea.

Industrialization of SAST on Github

ShiftLeftSecurity is actually a security scanner meta-engine, which allows you to orchestrate several analyzes via a script that industrializes the process.

In this same vein of industrialization, it is possible to benefit from Github Actions – these events allowing the automation of continuous integration / continuous deployment tasks – to automate the security scanner on a code directory.

Below is an example of Github Action automatically launching the security scan after each pull-request and uploading the reports to an AWS S3 directory.

# This workflow integrates ShiftLeft Scan with GitHub's code scanning feature
# cf. https://slscan.io/en/latest/integrations/github-actions/.

name: SAST tool through Shiftleft

# This section configures the trigger for the workflow. 
on:
  pull_request:
    #branches: [ main ]

jobs:
  Scan-Build:
    name: Scan-Build
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v1

      - name: Perform ShiftLeft Scan
        uses: ShiftLeftSecurity/scan-action@master
        env:
          WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SCAN_AUTO_BUILD: true 
        with:
          output: reports

      #Generate and commit the baseline file for your master/main branch scans. Subsequent feature branch scans would use only the new findings for breaking the builds. 
      #cf. https://docs.github.com/en/actions/learn-github-actions/contexts
      - name: Update scan baseline on main branch
        if: ${{ github.ref == 'refs/heads/main' }}
        run: |
          cp reports/.sastscan.baseline .
          git config --global user.name "scan+github-actions[bot]"
          git config --global user.email "scan+github-actions[bot]@users.noreply.github.com"
          git add .sastscan.baseline
          git commit -m "Update scan baseline"
          git push

      #Upload the generated reports on AWS S3 bucket
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_KEY_ID  }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-1

      - name: Upload report on S3 Bucket
        run: |
          aws s3 cp reports/ s3://security/${{ github.repository }}/ --recursive

In summary, this example of security scanner automation under Github demonstrates the current trend aimed at automating security in code. If the principle may seem very attractive, it is however necessary to underline several elements which come to reduce the positive impacts of such an approach:

“Automation: a system that simplifies the work so much that we will end up needing an electronic brain to twiddle our thumbs.”

Noctuel

Leave a Reply

Your email address will not be published. Required fields are marked *