Mix the facility of GitHub Actions for automated Steady Integration/Steady Deployment (CI/CD) pipelines with Distinction Safety’s highly effective free developer instrument, CodeSec, to establish susceptible dependencies in your Java, .NET, NodeJS, Ruby, Python, Go or PHP initiatives.
Step one is to put in CodeSec regionally. CodeSec is on the free tier of Distinction Safety’s product suite. It is extremely straightforward to put in with both Homebrew, npm or straight from binary. You’ll find CodeSec at Distinction’s Developer Central on-line portal.
As soon as CodeSec is put in in your machine, you will want to run the command distinction config. This provides you with the CodeSec account keys that you need to use in your undertaking’s GitHub Actions configuration file.
CodeSec config keys
Second, you’ll want to set these keys as secrets and techniques in your GitHub repository’s settings. That is obtainable in your GitHub undertaking repository on the Settings tab, Safety part, Secrets and techniques possibility, Actions sub-option. Add secrets and techniques with the names CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER together with their corresponding values from the distinction config command.
Add GitHub repository secrets and techniques
With these config keys set as repository secrets and techniques, you at the moment are prepared to make use of the Distinction SCA GitHub Motion. Distinction SCA is an enterprise-level cybersecurity instrument that identifies vulnerabilities within the third-party elements that your undertaking makes use of.
The Distinction SCA GitHub Motion web page provides examples of GitHub Motion configuration information to be used with a number of totally different languages. On this article we are going to stroll by means of an instance of utilizing the NodeJS config file.
Create a brand new Git department in your undertaking with git checkout -b your-branch-name.
Create a brand new Git department
Subsequent, create a brand new GitHub Actions construct file at ./.github/workflows/construct.yml, in case your undertaking doesn’t have one but. If it does, you could wish to simply edit your present file.
New GitHub Actions construct configuration file
Then, within the construct.yml file, add the job to run the Distinction SCA motion. Use the Node template from the Distinction SCA GitHub Motion web page. Make certain that it makes use of the CodeSec config secrets and techniques that you simply made at first of the article! Word: One distinction from the template is that we received’t specify the apiUrl setting and can let Distinction SCA default to the free Neighborhood Version of the Distinction instrument suite server. Additionally, you will must customise the trail to your undertaking’s config information and just remember to goal department “primary”, which is the default title of the repository’s major department on GitHub.
Instance construct.yml for a NodeJS undertaking
Again on the command line, add the brand new file to your native Git repository, commit the modifications after which push it as much as your distant GitHub repository.
Git add, commit and push your new construct file
The output of git push provides you a URL to make use of to create the pull request to your modifications. On this instance, it was https://github.com/JacobMagesHaskinsContrast/resource-mon/pull/new/add-sca-check.
Pull request on the GitHub repository
After merging the modifications, you’ll be able to have a look at the Actions tab and see that “SCA Node” is now an obtainable workflow that runs in your repository.
SCA Node workflow within the repository actions
In case your undertaking has a vulnerability, just like the deliberate instance vulnerability on this undertaking, you’ll be able to click on on the workflow’s run to see its particulars. Within the particulars, yow will discover the particular vulnerabilities in libraries that your undertaking makes use of, together with recommendation on fixing them.
Distinction SCA GitHub Motion outcomes
Conclusion
GitHub Actions are a strong instrument. A lot could possibly be written on all the varied choices obtainable for utilizing them to energy your undertaking’s CI/CD pipelines. The Distinction SCA GitHub Motion, when paired with CodeSec, is a powerful new instrument for securing your undertaking from cybersecurity threats.
Check out Distinction SCA’s latest GitHub Motion function for your self with CodeSec!
To study extra about Distinction’s new GitHub Motion:
Click on right here for our video tutorial.
Click on right here to verify us out on GitHub Market.
