Startups often rely heavily on open source software to accelerate development, minimize costs and leverage the extensibility they offer. However, this reliance can also expose them to supply chain risks, such as vulnerabilities in the software they depend on along with source threats, build threats and dependency threats. While startups have alignment towards a specific goal these dependencies that they gather in the process may not be aligned to the same goals, a lot of them might be hobby projects or code made opensource to showcase the capabilities and maintaining them might not be a priority for the developers. Since this is unpaid work expectation of maintenance and upkeep is not the right thing to have from the OSS maintainers.
This puts the organisations at a risky spot, using these dependencies help accelerate the development but it effectively puts the “burden” on the startups for ensuring the safety of this code also. To mitigate these risks, it’s crucial for startups to establish a basic security scanning process. With the current world of SaaS platforms offering lots of free services for startups and smaller teams, there is really no excuse left for startups to not setup a baseline code scanning setup we are not just suggesting setting up a code scanning service for your own code but also for your dependencies.
In this blog post, we will explore how to set up a simple and effective scanning capability using GitHub, GitHub Actions, and various security tools, to give startups more confidence in their open source software choices. What we are showing in this blog post should be treated as a guidance and orgs can focus on deploying this on their own CI / CD environments, Github is just a system we choose to demonstrate the concept. GitHub has implemented some security features related to scanning repositories for potential vulnerabilities. These features are often provided by third-party services integrated into GitHub Actions workflows. We will also discuss how GitHub Actions can be employed by companies to enhance security in various ways including automated code scanning, creating CI pipelines that run tests and checks, enforcing security checks on pull requests and also enforcing security compliance standards. We will also discuss the benefits, pitfalls, and best practices for approaching software with identified bugs and interpreting their severity.
Github is a sought after web based version control platform which offers collaborative software development. It allows hosting and sharing code repositories, including open source projects. By utilizing GitHub Actions, startups can automate tasks like code scanning, dependency updates and vulnerability scanning, minimize the risk of malicious code impacting the host environment or other workflows through container isolation, and manage access control.GitHub allows you to perform code scanning through multiple methods: utilizing GitHub Actions, integrating it with your continuous integration (CI) system, or running it directly on GitHub itself. Both the basic and advanced configurations for code scanning are available through GitHub Actions. With the default setup, the system automatically determines the programming languages to analyze, the query suite to execute, and the events that should trigger the scans. However, if you prefer, you have the option to manually choose the query suite and languages to be analyzed within the default setup.
For more advanced customization, you can opt for the advanced setup, which offers further options to tailor your code scanning workflow. CodeQL analysis is one of the types of code scanning available on GitHub, but you can also find other code scanning workflows in the GitHub Marketplace that you can utilize for your projects.
Github actions 101
To get started with automated scanning, you’ll need to set up a GitHub Actions workflow in your project repository. This workflow will trigger the scanning process every time there is a push or a pull request. In this section, we will walk you through the necessary steps to create and configure a simple github actions workflow
To set up a workflow, you can follow these steps:
- Set up Actions in your repository: Log In to your GitHub account and navigate to your GitHub repository for which you want to setup Github Actions. Click on Actions.
- Create a workflow: In the next page that appears, click on Configure in order to setup a workflow.
- Generate and configure the YAML file: You will be able to see a yaml file, you can also customize this file if you want to. If you want to use the default yaml file for setup, simply click on Configure.
You have configured a basic GitHub actions workflow. This process was manual as of now however this can be automated as lots of github action workflows are pre-created by GitHub and made available for direct usage. We will leverage this workflow process to setup different scanning softwares in next section.
Integrating Security Scanning Tools
Next, we will discuss integrating various security tools into your GitHub Actions workflow. These tools will help you identify not only known vulnerabilities but also code quality issues that might lead to potential security risks. Integrating security tools into GitHub Actions can help ensure that your code adheres to compliance and make auditing processes smoother. Some common tools to consider include:
CodeQL is a powerful tool developed (acquired and enhanced) by Github, which allows developers to identify and eliminate security vulnerabilities in their code. It performs such tasks only if the open source codebase is available on Github.com. Furthermore, in order to test the codebase should be released under an OSI-approved open source license.
- CodeQL allows developers to write custom queries to find specific issues in the code.
- It also maintains a resource pool of open source projects and their vulnerability history that serves as a valuable resource into known vulnerabilities.
- CodeQL provides early detection if it is integrated into a project’s continuous integration pipeline.
Requirements for using default setup:
- The code should include at least one of the CodeQL supported languages excluding Swift.
- Github Actions should be enabled.
- It should be publicly visible.
Configure default setup for code scanning:
You can configure the default set up by following steps:
- Navigate to your github repository for which you want the default setup.
- Under your repository name, click on Settings.
- In the Security section of Settings, click on Code Security and Analysis.
- Navigate to the Code Scanning section and click on Set up, then click on Default.
- You can also customize the code scanning setup by clicking on the Edit option.
- Review the settings and then click on Enable CodeQL.
The CodeQL setup configuration is now done.
Semgrep is a fast, open-source, static analysis tool for finding bugs and enforcing code standards. It is a rule-based tool, which means that it uses patterns to match specific code constructs. This makes it very flexible and powerful, as it can be used to find a wide variety of bugs and issues.
Here are some of the benefits of using Semgrep:
- Fast: Semgrep is very fast and can scan large codebases in a matter of minutes.
- Accurate: Semgrep is very accurate and can find a wide variety of bugs and issues.
- Easy to use: Semgrep is easy to use and can be used by developers with no prior static analysis experience.
- Flexible: Semgrep is very flexible and can be used to find a wide variety of bugs and issues.
- Extensible: Semgrep is extensible, and new rules can be easily created.
At Cyfinoid we are big fans of Semgrep. By utilizing Semgrep and GitHub Workflows, we can automate the detection of coding vulnerabilities. To achieve this, we will create the following workflow:
- The workflow is designed to perform a scan of your application’s entire codebase, offering a comprehensive analysis of its contents.
- To set up this workflow, copy and paste the following content into the .github/workflows/semgrep-full.yaml file :
--- name: Semgrep Full Scan on: workflow_dispatch: push: branches: - main schedule: - cron: '0 1 * * 6' jobs: semgrep-full: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest container: image: returntocorp/semgrep steps: # step 1 - name: clone application source code uses: actions/checkout@v3 # step 2 - name: full scan run: | semgrep \ --sarif --output report.sarif \ --metrics=off \ --config="p/default" # step 3 - name: save report as pipeline artifact uses: actions/upload-artifact@v3 with: name: report.sarif path: report.sarif # step 4 - name: publish code scanning alerts uses: github/codeql-action/upload-sarif@v2 with: sarif_file: report.sarif category: semgrep
Note: This workflow is not fully hardened there is a lot more that can be done to harden the workflow. We will write another blogpost covering hardening techniques for specific workflows.
- Afterward, you can manually initiate this workflow to execute the initial full scan. All detected issues will be displayed in the Code Scanning alerts, accessible within the Security tab of your GitHub repository.
Based on the programming languages utilized in your project, you might consider incorporating specialized tools designed specifically for each language.Source code analysis tools or Static Application Security Testing (SAST) Tools, are designed to examine your source code or compiled code to uncover security issues. These tools can be integrated into your development environment, assisting you in identifying problems while writing software. By using SAST tools, you can save valuable time and effort, as they catch vulnerabilities early on, preventing the need to address them later in the development process.OWASP even has a list of SAST tools that can be used for various languages. All the listed tools can be explored via the mentioned link: https://owasp.org/www-community/Source_Code_Analysis_Tools
Additional Github’s Security setup
Secret Scanning and Push Protection
Lately the major hacks dont happen coz. of the buggy code but more coz someone accidentally let loose a secret. So can something be done about that. To avoid the fraudulent use of secrets that were accidentally disclosed, GitHub searches repositories for recognized categories of secrets. GitHub searches a repository’s contents for secrets that match patterns predefined by service providers when you activate secret scanning for a repository or push commits to a repository with secret scanning enabled. When a new partner pattern is introduced or changed, GitHub additionally does a scan of all past code content in public repositories with secret scanning turned on.
In order to enable secret scanning, follow the underlying steps:
- Navigate to the repository where you want to enable secret scanning.
- Click on the Settings tab located on the right-hand side of the repository’s menu.
- From the settings menu, choose the Code Security & Analysis section.
- In the Code Security & Analysis section, you’ll find an option for Secret scanning. Click on it.
- Save changes to enable the secret scanning functionality.
After you’ve enabled secret scanning, GitHub will automatically scan your repository’s codebase for known patterns of secrets. If any secrets are detected, you will be notified through the configured channels. This proactive security measure helps prevent the inadvertent exposure of sensitive information and enhances the overall security of your software projects. This is not a foolproof solution but a good first step. This should ideally be augmented by code scanning software added to GitHub workflow as a secondary tool also.
GitHub push protection
GitHub push protection is a security feature provided by GitHub to prevent unauthorised or accidental changes to important branches of a repository. It helps maintain the integrity and stability of critical branches by requiring additional checks and approvals before any code changes can be pushed to those branches.
Push protection is particularly useful for branches like “main,” “master,” or other long-lived branches where the main development or production code resides. It prevents scenarios where code could be introduced without proper code review or testing, reducing the risk of introducing bugs, vulnerabilities, or breaking the application.
You can enable GitHub push protection for enterprise, organisation or repository. In order to enable the Push Protection for any of these, you can follow the link below:
Handling Results of Scan
Scan report analysis is often the most ignored step. GitHub itself provides a nice dashboard for this to work however if there are cross platform tools in place then it might be a good idea to leverage third party dashboards. In order to efficiently work on the security issues identified we recommend leveraging Vulnerability aggregation software like ArcherySec / DefectDojo. These specialised softwares provide more comprehensive tooling to work on the vulnerability remediation.
Pitfalls to watch out for
While automated scanning presents numerous advantages, it is essential to be mindful of potential drawbacks:
- False positives: Scanning tools may produce inaccurate alerts, necessitating manual assessment for validation. To minimize such occurrences, adjust the scanning rules and concentrate on the most pertinent issues.
- Interpretation of results: Not all vulnerabilities carry equal risk. Startups must consider the vulnerability’s context, such as its location in the code and its usage, to determine its severity and prioritize accordingly.
- Dependency on scanning tools: Relying solely on automated scanning can lead to a false sense of security. It is crucial to complement scanning with other security measures, like code reviews and secure development training, for comprehensive protection.
Approaching Software with Identified Bugs
If your scanning procedure detects bugs or vulnerabilities, adhere to these recommended approaches:
- Assess the risk: Assess the seriousness and potential consequences of the identified problem, considering your unique usage scenario and surroundings.
- Prioritize fixes: Concentrate on resolving the most crucial vulnerabilities initially, prioritized according to their risk assessment.
- Engage the community: In the case of an issue within an open source project, report the vulnerability to the project maintainers and contribute to the resolution process whenever possible. Contribution doesn’t necessarily means code contribution you can help by providing documentation and most importantly monetary support to a project that is helping you in your commercial venture.
- Monitor for updates: Monitor for updates and patches pertaining to the affected software, and apply them promptly upon availability.
For startups that depend on open source software, establishing a fundamental security scanning process utilizing GitHub, GitHub Actions, and diverse security tools is a crucial undertaking. This initiative will provide valuable comprehension of code quality and security, enabling you to address potential risks and uphold a secure software environment. Armed with knowledge about the advantages, challenges, and recommended approaches, you can make informed choices regarding dealing with software containing identified bugs and determining their significance within your organization. Take the proactive step of setting up your scanning workflow today to safeguard your open source software effectively.
- If you want to learn more around this as well as other issues plaguing supply chain security attend our course
- If you or your friends need help around implementation of such setup. Contact Us