GitHub Actions for Security Code Analysis

Performing code analysis and security scans on your code is imperative to software craftsmanship. Over the years, I have had plenty of options for performing security scans, both with third-party vendors and open-source tools.

I want to highlight some of my favorite GitHub Actions to run code analysis with a Security-focus in this post.

Before diving into some of my favorites on GitHub, here are some recent posts related to code analysis and security that I published. Perhaps they can be insightful, too:

• Use the Microsoft Application Inspector to analyze your source code
• Website security scanning with GitHub Actions and OWASP ZAP
• Favorite code analysis tools for .NET Core devs on Azure
• Embracing an SDL (Security Development Lifecycle) for Azure
• Automate Azure DevOps code security analysis with the Microsoft Security Code Analysis extensions

GitHub and Security. What's up?

The threat-landscape is ever-changing, and so should our processes and tools be. I have moved a lot of my private- and proprietary repositories to GitHub over the last few years for various reasons - not specifically for security. Initially, I missed running the same security scans that I could with Azure DevOps or my on-prem pipelines.

However, when GitHub introduced GitHub Actions, it opened up wild new automation capabilities at our fingertips. Since the feature was made available, many Actions have been made available in the GitHub Marketplace.

With GitHub, there are many ways to secure your code. For example:

• Alerts for vulnerable dependencies (GitHub Docs)
• GitHub Secret Scanning (GitHub Docs)
• Dependabot alerts for published security advisories (GitHub Docs)

Additionally, the Marketplace offers ready-made extensions (Apps or Actions) in the Security category. I want to mention a few of these to raise awareness of their existence and the power of automating security in your process quickly.

How about enterprise readiness?

Is GitHub ready to tackle my enterprise? I believe it is, but that is for you to decide in your organizations.

Reviewing the GitHub Enterprise page it explains a lot of the built-in capabilities offered. There is an apparent focus on Security from the start.

However, you also get many of these security features in the other tiers, including the "Free" tier.

Next, I want to highlight a few GitHub Actions for security to raise awareness of their existence.

Favorite GitHub Actions for Security

While this list can become very long, the below items a few of the ones I have used and like. They have found issues, helped me mitigate them, and contributed to a more secure software process.

I am not talking about security tools in general. Instead, I am mentioning the ones I have worked with as GitHub Actions.

Code Security

Some extensions handle code security specifically. Here are some of the tools I have used to vet some of my source code for vulnerabilities when relying on GitHub Actions.

DevSkim by Microsoft

I am mentioning DevSkim first because I am familiar with it from other integration points. The DevSkim tool exists as a CLI, a NuGet library for C#, a Dotnet Tool package, a Visual Studio Extension, and a Visual Studio Code extension.

Now, it exists as a GitHub Action, too.

What is it?

• Security linter. Highlights common security issues in your code.
• Integrates and sends reports into the GitHub Security Issues view for your repository.

Read more: https://github.com/marketplace/actions/devskim

AppInspector by Microsoft

I previously wrote about the Microsoft Application Inspector to inspect your source code. While it is not a "code security" tool, it is beneficial when drilling into projects to classify what types of code we have, and what it does.

What is it?

• App Inspector is a "code characterization tool."
• Identify features, third-party components, well-known library, and API calls.
• Identify authorization, authentication, cryptography, and other things your code does.

Read more: https://github.com/marketplace/actions/appinspector.

SonarCloud Scan by SonarSource

I have used tools from SonarSource over the years in various capacities. Their SonarCloud helps detect bugs, vulnerabilities, and code smells.

Understanding what the SonarSource tools do, you can inspect their rules for all the different languages. Here are the C# language rules, and you can filter the list by "Vulnerabilities", "Security Hotspot", and many more.

I have used SonarCloud using Azure DevOps and other ways in the past. With their GitHub Action, they mention that you should use Azure DevOps if you are analyzing .NET. However, the GitHub Action works well for many programming languages and can be a great asset in your toolbox.

It does come with a price and requires an account with SonarSource.

Read more: https://github.com/marketplace/actions/sonarcloud-scan

Container Scan by Anchore

If you are building Docker images and containerizing your applications, you might want to look at the Anchore Container Scan.

Using a local docker image without dependencies on other systems, you can scan your Docker images with this GitHub Action. It contains vulnerability data from RedHat, Debian, Alpine, and more.

I previously wrote top 10 Best Practices for security around Azure Container Registry. If you rely on the ACR, the built-in capabilities in Azure Security Center are excellent and something you should use.

However, more tools are always merrier, and if you push your Docker images to a repository outside of Azure, it might be a good idea to scan them for vulnerabilities. That's where the Anchore Container Scan comes in.

Read more: https://github.com/marketplace/actions/anchore-container-scan

Snyk

Checks for vulnerabilities in your GitHub Projects. Snyk has been around for a while and has many resources for vulnerabilities and secure code.

You are required to use a Snyk API token to make use of this Action.

Read more https://github.com/marketplace/actions/snyk

GP Security Scan by WhiteSource

Scan your published or updated Docker images and get a report with security vulnerabilities and license information. The license bit can be particularly useful when you need to understand what third-party components you are using, and if they come with risky licenses.

This Action requires a WhiteSource API key.

Read more: https://github.com/marketplace/actions/gp-security-scan

Security Testing

In the previous list was a few examples of tools that inspect your source code. Now, I want to highlight some exciting tools for testing your applications with Security Testing.

OWASP ZAP by zaproxy

I previously wrote about website security scanning with GitHub Actions and OWASP ZAP. Therefore I will not outline a lot more information in this post about it. Head over to the link above to check that out.

What is it?

• DAST - Dynamic Application Security Testing.
• Penetration testing of your websites.
• Useful, for example, if your workflow pushes new deployments to your sites, you can then automatically execute DAST/pentest on them - preferably a staging environment - before you switch to production.

Read more: Website security scanning with GitHub Actions and OWASP ZAP

Find more security testing tools on the GitHub Marketplace.

Summary

Many more Actions are beneficial in the security analysis- and testing area. I have highlighted some of the ones I like. Which one do you prefer, and are there some you would recommend? I'd be happy to include them on the list.

Happy and safe coding.