Finding and remediating vulnerabilities in source code is an essential part of developing secure software. For many developers worldwide, the popular GitHub source control management system has become similarly essential in speeding up the development life cycle. Now HCL AppScan has two GitHub actions that can help you find and fix vulnerabilities in your source code — all without slowing your GitHub workflow.
Find code vulnerabilities before they reach the main branch of the repository
The HCL AppScan CodeSweep GitHub Action is triggered whenever a developer opens or updates a pull request in GitHub. The action only scans the code that the developer has modified or added in that request. This allows the developer to focus on finding and fixing only the vulnerabilities that they would be introducing with the new or modified code, rather than looking at the results from scanning the entire application.
Once the Codesweep GitHub Action is triggered, the scan results are shown to the developer in several parts of the GitHub web user interface (UI).
- In the “checks” on the main page of the pull request (users can specify the status of the checks when issues are found):
- Alongside the vulnerable code in the diff view:
- In the “checks” view:
- Additionally, remediation information including sample code is provided:
All of this information helps the developer—and those doing the pull request reviews—to understand the possible vulnerabilities introduced by the code changes. It also educates them on secure coding practices for the future.
Use AppScan on Cloud to scan for vulnerabilities in the repository
Once a pull request has been merged, the new code is added into the main branch of the repository alongside existing application code. For further security testing, the HCL AppScan SAST GitHub Action can be used to scan all code in the repository, and can be triggered by any event that the user chooses. It can also be included in a scheduled workflow, so the entire repository is scanned nightly, weekly, or at any other time interval.
Whereas the previous Codesweep Action is free to use, this SAST Action requires an AppScan on Cloud account to view the results. Each run of the action includes a direct link in AppScan on Cloud to the scan that was run.
The snippet above is an example of the log output the GitHub user will see after running a scan. By default, the action will complete once the scan is submitted, but the user can wait for analysis to complete — so they can base the pass/fail of the action on whether any security issues were found.
HCL AppScan Resources:
- Find out more about HCL CodeSweep and the GitHub Download.
- See all the capabilities of AppScan on Cloud and take a free trial.
- Watch the Youtube demo and tutorial for more about CodeSweep for GitHub.
GitHub Marketplace Resources: