GitHub Actions brings the platform into the CI/CD market, making it simple to integrate SAST and SCA into workflows with the Synopsys Detect GitHub Action.
By Gautam Baghel and Dave Meurer
GitHub recently announced GitHub Actions, a feature bringing the platform into the CI/CD market. GitHub Actions is available for both GitHub.com and GitHub Enterprise hosted in the cloud. The cool thing is that GitHub added Actions to its Marketplace, where users can easily search and use Actions in their workflows.
The primary features of automation, like ease of use and easy setup, are perfect for teams who use GitHub for their repositories. For Pushes, Tasks, Pull Requests, and Issues, GitHub now offers a level of automation, which ultimately increases the amount of open source contributions. However, with great open source comes great vulnerabilities, as Uncle Ben would’ve said if he coded.
This is where Synopsys comes in. Having been in the application security market for well over 20 years, we have a market-leading understanding of the vulnerable code and components that can hide in applications. We want to put the “Sec” in DevSecOps, which inherently means security can’t slow development down. GitHub Actions makes it very simple to integrate SAST and SCA scans into workflows, helping us achieve our DevSecOps goal. That’s why we’re excited to announce the Synopsys Detect GitHub Action!
Synopsys Detect scan choices and use cases
Lightweight software composition analysis
One of the problems with security tools is that they take too much time for intensive scanning. In some cases, the only relevant information needed to break the build is a list of dependent components that violate company policies or have critical vulnerabilities. Pull Requests or git pushes, which are often frequent, necessitate a quick scan. It’s super easy to configure this in the Synopsys Detect GitHub Action with less than three lines of code. The key parameter for instantiating a lightweight software composition analysis scan is the “detect.tools” flag, setting the value to DETECTOR.
Under the hood, DETECTOR performs a dependency scan, reading package manager files (e.g., pom.xml file for maven) to identify declared and transitive dependencies. A prerequisite to use Detect’s package management scanning is to ensure the build tool is present in the environment. You’ll notice that in the example above, a mvn command is run before the Synopsys Detect command. This satisfies the prerequisite because maven exists in the GitHub Maven Java starter workflow.
Lightweight SCA provides a fast way to understand all the declared dependencies in your project. However, your project will typically contain more than just dependencies declared in package management files. Plus, some programming languages don’t even use package management. Therefore, these cases might call for a deeper analysis to ensure you are identifying and managing every single open source component in your application. Invoking a full SCA scan involves signature scanning, which compares the SHAs of the scanned files to our Black Duck KnowledgeBase™. Signature scanning is pretty easy because it’s included in the default scan if the “detect.tools” flag is not specified.
Generating Black Duck reports
Wouldn’t it be great to generate an SCA risk summary report after you scan using the Synopsys Detect GitHub Action? Say no more! You can enable this feature with two steps:
- Add the flag “–detect.risk.report.pdf=true” to the args line in your workflow yaml.
- Use the upload-artifact GitHub Action to upload the generated PDF. Note: The path attribute will be in the following format: [project _name]_[version_name]_BlackDuck_RiskReport.pdf. If this doesn’t seem to work, you can find the actual name in the Actions run logs in the Synopsys Detect section.
If generating and uploading the risk report was successful, an Artifacts dropdown should appear on the top right side of your Actions run logs, as shown in the screenshot above.
But wait—there’s more!
SCA is only part of the AppSec equation. Now that you have the open source components covered, it’s time to look in the mirror and scan your own code for quality and security issues with Coverity static analysis (SAST). Using the same Synopsys Detect GitHub Action, you can also invoke a Coverity scan through Polaris. You’ll need to use the Polaris properties in Synopsys Detect, and add a yaml file to your repo that Polaris consumes.
You can perform two types of Coverity Polaris SAST scans: build and buildless. As their names suggest, one requires a build and one does not. To invoke a buildless scan, follow the steps in the buildless capture section of our GitHub Action external docs. Or see the steps to invoke a build capture. The screenshot below shows an example GitHub Actions yaml.
Black Duck CoPilot for open source developers
“But I’m not an enterprise. I’m a high-powered open source developer. So what about me?” Well, CoPilot might just be the product for you. It’s our free offering for GitHub Open Source developers, and we’ve now added support for GitHub Actions CI/CD when you’re setting up a project in CoPilot!
CoPilot is powered by Black Duck and the Black Duck KnowledgeBase. It gives you a risk score badge from Black Duck, as well as a reporting interface that looks something like this:
We hope you enjoy using the Synopsys Detect GitHub Action. We welcome feedback, so let us know what you think at email@example.com, or open a pull request in the Black Duck GitHub Action repository.