SBN

How to Use Mayhem With Github Actions to Easily Secure Your Applications

At ForAllSecure, our mission is to make security easy to use and easy to integrate with your existing development process. On that note, we’ve released our Mayhem GitHub Action, making it easier than ever to secure your applications using Mayhem in a GitHub CI/CD pipeline (for free!).

In this blog post, we’ll walk through the following:

  1. What is the Mayhem GitHub Action?

  2. How does the Mayhem GitHub Action Work?

  3. How do I integrate the Mayhem GitHub Action?

  4. How do I contribute to the Mayhem GitHub Action?

 

What is the Mayhem GitHub Action?

The Mayhem GitHub action allows you to use Mayhem with GitHub Actions, automating security testing for your applications hosted on GitHub.

How Mayhem Automates Your Workflow 

With the Mayhem Github action, your job as a developer becomes much easier:

  1. You integrate the Mayhem GitHub Action into the GitHub repository containing your application source code, executing security testing for your application using Mayhem via a CI/CD pipeline.

  2. With Mayhem integrated within a CI/CD pipeline, all new commits to the master or main branch (as well as branch pull requests) will execute a new Mayhem run to test your application.

  3. If workflows pass: Great! Mayhem has not detected any issues in the application! No need to continue with the next few steps.

If a workflow fails: Mayhem has identified a defect in the application.

  1. You can then create a pull request to then fix the source code causing the vulnerability in the application. Mayhem will then build and test the updated containerized application as well as use previous test cases to ensure that no new defects have been introduced with the update.

  2. If the workflow passes in the pull request, then the developer knows that their update not only fixes the previous vulnerability, but also that their update has not introduced any new defects.

  3. The developer merges their fix.

As you can see, automating security testing with Mayhem saves not only manual security testing effort, but—more importantly—time. That’s a lot of value from automating the traditional DevSecOps workflow!

 

How Does the Mayhem GitHub Action Work?

The Mayhem Github Action has two jobs: building your application within a Docker container and testing your containerized application.

For example, a Dockerfile for an application might look like this:

FROM debian:buster-slim as builder1
RUN apt-get update && \
    apt-get install -y gcc make libc6-dbg && \
    rm -rf /var/lib/apt/lists/*
COPY Mayhemit.c .
RUN gcc Mayhemit.c -o /Mayhemit

And a corresponding Mayhemfile would look like the following:

image: forallsecure/c-base-executable:latest # fields will be
project: mayhem-examples                     # overridden at
target: c-base-executable                    # CI run creation time
duration: 90
cmds:
- cmd: /mayhemit @@

Once the workflow is kicked off, the Mayhem GitHub Action will build the Docker image using the specified Dockerfile and execute a Mayhem run for the containerized target application using the configuration specified in the Mayhemfile. In this case, Mayhem builds and tests the Mayhemit binary.

After Mayhem’s test run completes, you’ll be able to see your results within your GitHub repo under the code scanning tab, in your pipeline step, or in the Mayhem UI.

Note: Got several applications you’d like to test? No problem, we’ve also made it so that the Mayhem GitHub action can work with multiple targets or applications.

 A multi-target Mayhem GitHub Action workflow

A multi-target Mayhem GitHub Action workflow

The complete run information for the target application on the Mayhem UI

The complete run information for the target application on the Mayhem UI

 

How Do I Integrate the Mayhem GitHub Action?

To integrate the Mayhem GitHub Action into your GitHub repository so that you can take advantage of Mayhem in a CI/CD pipeline, you’ll need to complete the following steps:

  1. Register for an account at mayhem.forallsecure.com

  2. Set up GitHub Secrets and package visibility settings for your GitHub repository.

    1. Add Mayhem_TOKEN as a GitHub Secret. This is your Mayhem token generated at mayhem.forallsecure.com.

    2. Ensure your repository’s package visibility settings are set to Public to give Mayhem permissions to ingest your Docker image from the GitHub Container Registry.
      (Click on your package in the right-hand pane of your GitHub repository and go to Package Settings. Then, scroll down to Package Visibility and set the package to Public.)

  3. Create a Dockerfile for your containerized application.

  4. Create a Mayhemfile for configuring the Mayhem run on your containerized target application invoked by the Mayhem GitHub Action.

  5. Create a Mayhem.yml workflow at .github/workflows/Mayhem.yml that builds and pushes a Docker image and uses the Mayhem GitHub Action to test your containerized application in a CI pipeline. You will need to specify the location of your Dockerfile and Mayhemfile.

For example, a Mayhem.yml file would look like the following:

name: Mayhem
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  BRANCH_NAME: ${{ github.head_ref || github.ref_name }}

jobs:
  build:
    name: 'build'
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-latest]
        shared: [false]
        build_type: [Release]
        include:
          - os: ubuntu-latest
            triplet: x64-linux

    steps:
      - uses: actions/checkout@v3
        with:
          submodules: recursive

      - name: Log in to the Container registry
        uses: docker/[email protected]
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/[email protected]
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Set lowercase image name
        run: |
          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}

      - name: Build and push Docker image
        uses: docker/[email protected]
        with:
          context: .
          push: true
          file: Dockerfile
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}
          labels: ${{ steps.meta.outputs.labels }}

    outputs:
      image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}

  Mayhem:
    needs: build
    name: 'fuzz'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        Mayhemfile:
          - Mayhem/Mayhemfile.lighttpd
          - Mayhem/Mayhemfile.Mayhemit
          # Specify one or many Mayhemfiles here

    steps:
      - uses: actions/checkout@v3

      - name: Start analysis for ${{ matrix.Mayhemfile }}
        uses: ForAllSecure/Mayhem-action@v1
        with:
          Mayhem-url: ${{ secrets.Mayhem_URL }}
          Mayhem-token: ${{ secrets.Mayhem_TOKEN }}
          args: --image ${{ needs.build.outputs.image }} --file ${{ matrix.Mayhemfile }} --duration 60
          sarif-output: sarif

      - name: Upload SARIF file(s)
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sarif

Still have questions? Take a look at the mcode-action-examples repository to view working examples. 

How Do I Contribute to the Mayhem GitHub Action?

Developers are more than welcome to fork our Mayhem GitHub Action repository and make any potential changes to the source code that they see fit. After creating your own fork, modify the source code in main.ts and execute make dist-rebuild to rebuild the Mayhem Action. When ready, push your changes and create a pull request for us to review!

If you’d prefer to test your changes before you post them up to us for review, execute the following commands to tag a specific commit and push it to your remote forked repo:

git tag v1-dev
git push origin v1-dev

Then navigate to your forked repository and click on the Releases section to create a new release from your tag.

Once complete, you’ll need to modify any corresponding Mayhem.yml file to use your specific tagged release and test your changes. 

 For example:

- name: Start analysis for ${{ matrix.Mayhemfile }}
        uses: Andrew5194/Mayhem-action@v1-dev

 

Summary

The Mayhem GitHub action allows you to use Mayhem with GitHub Actions. If you have any feedback, feel free to either create an issue on our Mayhem GitHub Action repo, create your own fork accompanied by a pull request, or contact us at community.forallsecure.com.

Development Speed or Code Security. Why Not Both?

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem Free Request A Demo

*** This is a Security Bloggers Network syndicated blog from Latest blog posts authored by Andrew Yang. Read the original post at: https://forallsecure.com/blog/how-to-use-mayhem-with-github-actions-to-easily-secure-your-applications