New GitHub Action helps DevOps teams build fast while staying secure.
Security and development teams are increasingly adopting DevOps methodologies. However, traditional security tools bolted onto the development process often cause friction, decrease velocity, and require time-consuming manual processes. Manual tools and legacy AppSec approaches limit security teams’ ability to deliver the timely and actionable security feedback needed to drive improvements at the pace of modern development. The result is a continued increase in security threats and vulnerabilities, despite a growing awareness and interest in application security.
To help development and DevOps teams address these challenges and more, GitHub has created GitHub Actions. Actions places powerful, flexible automation directly into the developer workflow on GitHub, enabling teams to automate nearly everything, including software builds, testing, and deployments. In addition to its CI/CD capabilities, automation with GitHub Actions allows security activities to run smoothly throughout the development pipeline, improving both application security and development velocity.
We are proud to announce the early access release of the Intelligent Security Scan GitHub Action, a new Polaris Software Integrity Platform™ integration that enables development teams to build frictionless security controls into their DevOps pipelines using GitHub Actions.
The Intelligent Security Scan GitHub Action leverages newly developed orchestration capabilities of Polaris with our market-leading static (SAST) and software composition analysis (SCA) technologies in a solution that ensures that the right security tests are run at the right time—automating test execution and delivering filtered and prioritized results directly within the GitHub code scanning user interface.
What are GitHub Actions?
GitHub Actions help you automate tasks in your software development life cycle (SDLC), including (but not limited to) your CI/CD pipeline. Automated workflows consisting of individual, discrete actions, can be programmed to start on nearly any event such as check-ins or pull requests in the GitHub ecosystem. This allows development and security teams to create custom SDLC workflows from directly within GitHub.
Actions are unique because they allow teams to build continuous integration (CI), and continuous deployment (CD) workflows from directly within their GitHub environment. Because Actions workflows can be shared and reused like source code, they also help teams standardize and scale DevOps and security best practices across their organizations. With Actions, GitHub users not only host code on the platform but can also automatically test and deploy it.
What is the Intelligent Security Scan GitHub Action?
The Intelligent Security Scan GitHub Action is a new Polaris integration that enables teams using GitHub to trigger a Synopsys-optimized SAST and/or SCA security scan of a project via the GitHub Actions API.
What makes this solution unique and optimized for DevOps is the use of Polaris orchestration capabilities that address two major challenges that teams face as they look to integrate security into their DevOps environment.
Unclogging the pipeline
Although many AppSec tools support automation through CI tool integrations, teams often find it very easy to bring their pipelines to a halt if they insert a security scan into the middle of it. Rather than simply initiating a full SAST or SCA scan whenever a GitHub Action is invoked, Polaris first reviews code changes in order to calculate a risk score. This risk score takes into account risk rules defined by the team, as well as the scope of the changes that have been made to the code. This score is then used to determine which security scans to perform, and at what depth.
Once this determination has been made, the prescribed tests will execute using GitHub runners or a Polaris cloud-hosted pipeline. This combination of selective testing and out-of-band execution ensures that security analysis doesn’t hinder the progress of other build and integration activities.
“With the Synopsys Intelligent Security Scan GitHub Action, application security testing is automated and built directly into the developer workflow, so teams can ship code more safely, faster,” said John Leon, VP of Business Development at GitHub.
Avoiding vulnerability overload
Another obstacle facing teams is the number of findings that can be produced by SAST and SCA analysis. The spirit of DevOps is continuous incremental improvement, a goal that can be hard to realize when your security tools bury the team in hundreds or thousands of vulnerability reports. Here too, Polaris reduces the burden on the team by filtering and prioritizing results, so teams can “avoid the noise” and focus on the more important security issues based on their risk.
Filtered and prioritized results are available directly to the developer within the GitHub code scanning user interface via Security Analysis Results Interchange Format (SARIF – currently limited to static analysis results) as well as other tracking tools they may be using.
Synopsys and GitHub: Building security into DevOps together
We’re excited to be working with GitHub to help make application security an integral part of DevOps with the Intelligent Security Scan GitHub Action. GitHub code scanning enables your team to create applications with a community-driven, developer-first approach, and its unified and automated structure promotes and reinforces your DevOps pipeline. Paired with the Intelligent Security Scan GitHub Action and Polaris, security bottlenecks and shortcomings are a thing of the past. Your team can rely on intelligent, risk-based analysis to guide remediation prioritization and actions, and they can avoid the common application security pitfalls that can hinder DevSecOps initiatives.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Patrick Carey. Read the original post at: https://www.synopsys.com/blogs/software-security/github-synopsys-partnership/