HCL SW Blogs
Select Page

Finding and remediating vulnerabilities in source code is an essential part of developing secure software. For many developers worldwide, the popular GitHub source control management system has become similarly essential in speeding up the development life cycle. Now HCL AppScan has two GitHub actions that can help you find and fix vulnerabilities in your source code — all without slowing your GitHub workflow.

Find code vulnerabilities before they reach the main branch of the repository

The HCL AppScan CodeSweep GitHub Action is triggered whenever a developer opens or updates a pull request in GitHub. The action only scans the code that the developer has modified or added in that request. This allows the developer to focus on finding and fixing only the vulnerabilities that they would be introducing with the new or modified code, rather than looking at the results from scanning the entire application.

Once the Codesweep GitHub Action is triggered, the scan results are shown to the developer in several parts of the GitHub web user interface (UI).

  • In the “checks” on the main page of the pull request (users can specify the status of the checks when issues are found):

    add merging rule
  • Alongside the vulnerable code in the diff view:

    appscan codesweep
  • In the “checks” view:appscan codesweep
  • Additionally, remediation information including sample code is provided:session management cookies

All of this information helps the developer—and those doing the pull request reviews—to understand the possible vulnerabilities introduced by the code changes. It also educates them on secure coding practices for the future.

Use AppScan on Cloud to scan for vulnerabilities in the repository

Once a pull request has been merged, the new code is added into the main branch of the repository alongside existing application code. For further security testing, the HCL AppScan SAST GitHub Action can be used to scan all code in the repository, and can be triggered by any event that the user chooses. It can also be included in a scheduled workflow, so the entire repository is scanned nightly, weekly, or at any other time interval.

Whereas the previous Codesweep Action is free to use, this SAST Action requires an AppScan on Cloud account to view the results. Each run of the action includes a direct link in AppScan on Cloud to the scan that was run.

asoc service

The snippet above is an example of the log output the GitHub user will see after running a scan. By default, the action will complete once the scan is submitted, but the user can wait for analysis to complete — so they can base the pass/fail of the action on whether any security issues were found.

HCL AppScan Resources:

GitHub Marketplace Resources:

Comment wrap
Further Reading
HCL AppScan Standard
Secure DevOps | January 4, 2023
Application Issue Triage Has Never Been Easier in HCL AppScan Standard
HCL AppScan Standard has new user interface with an upgraded triage process to help users leverage the software’s numerous DAST capabilities.
HCL AppScan – AppScan Source SAST + ASoC SAST Innovation Workshop
Secure DevOps | November 9, 2022
HCL AppScan Source SAST + ASoC SAST Innovation Workshop – What You’ll Learn
Join us on November 10th to see how HCL AppScan on Cloud delivers a suite of security testing tools, including static, dynamic.
Close
Filters result by
Sort:
|