Automate the Discovery of Coding Vulnerabilities
In a previous blog, Software Developers Scream, "security, hurry!", we unpacked a concern that software leaders often have about security being a bunch of heavy processes that slow down innovation. And in 3 Essential DevSecOps Resources, we mentioned how the DevSecOps paradigm addresses that problem by making it possible to build security automation into both the creative development and the operational processes of making and releasing software. Now, in this post, which builds on Finding Vulnerabilities in Your Code Quickly and Cheaply, let's look at how you can deploy Semgrep with Github to automate code analysis as your developers create.
SEMGREP Dev Account (Can sign up for free.)
What is SEMGREP Dev/Dashboard?
SEMGREP dashboard is an interactive UI that you can interact with your projects/targets. You can connect your dashboard with Github or GitLab and some other IDE already integrates SEMGREP in their applications and as part of their CI/CD platforms. For this write-up, we will focus on the Github repository.
What is GitHub Actions?
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform, embedded within the GitHub repository platform, that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository or deploy merged pull requests to production.
... Now, let's configure Semgrep for continuous code scanning! 🤓 😊
First, you will need to sign up on the Semgrep platform. Afterward, you can connect your GitHub account right away by logging in with GitHub, and in this example, we will do that.
After logging in to Semgrep dev using your GitHub account, you will be redirected to this prompt page which I highly advise you to read and understand. In summary, all changes and prompts are under the terms and conditions of both Semgrep and GitHub.
After successful login, you will now be redirected to your Semgrep Dashboard.
In this example, we will focus on how to connect your first project in Semgrep that targets your desired repository.
To start you can go to the Projects tab:
As you can see in my example, I already have two repos that are already connected to Semgrep thru CI/CD using GitHub Actions.The next step is to click "Setup New Project" on the top right of the screen.
Then, select GitHub Actions:
Once you select GitHub Actions, you will be directed to your GitHub Repositories and there you can choose the project you want Semgrep to scan.
In this example, I have created a repository named "examplesemgrep".