Automate the Discovery of Coding Vulnerabilities
Background
In a previous blog, Software Developers Scream, "security, hurry!", we unpacked a concern that software leaders often have about security being a bunch of heavy processes that slow down innovation. And in 3 Essential DevSecOps Resources, we mentioned how the DevSecOps paradigm addresses that problem by making it possible to build security automation into both the creative development and the operational processes of making and releasing software. Now, in this post, which builds on Finding Vulnerabilities in Your Code Quickly and Cheaply, let's look at how you can deploy Semgrep with Github to automate code analysis as your developers create.
Prerequisites
You'll need:
SEMGREP Dev Account (Can sign up for free.)
Github Account
Target repository
What is SEMGREP Dev/Dashboard?
SEMGREP dashboard is an interactive UI that you can interact with your projects/targets. You can connect your dashboard with Github or GitLab and some other IDE already integrates SEMGREP in their applications and as part of their CI/CD platforms. For this write-up, we will focus on the Github repository.
What is GitHub Actions?
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform, embedded within the GitHub repository platform, that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository or deploy merged pull requests to production.
... Now, let's configure Semgrep for continuous code scanning! 🤓 😊
First, you will need to sign up on the Semgrep platform. Afterward, you can connect your GitHub account right away by logging in with GitHub, and in this example, we will do that.
After logging in to Semgrep dev using your GitHub account, you will be redirected to this prompt page which I highly advise you to read and understand. In summary, all changes and prompts are under the terms and conditions of both Semgrep and GitHub.
After successful login, you will now be redirected to your Semgrep Dashboard.
In this example, we will focus on how to connect your first project in Semgrep that targets your desired repository.
To start you can go to the Projects tab:
As you can see in my example, I already have two repos that are already connected to Semgrep thru CI/CD using GitHub Actions.The next step is to click "Setup New Project" on the top right of the screen.
Then, select GitHub Actions:
Once you select GitHub Actions, you will be directed to your GitHub Repositories and there you can choose the project you want Semgrep to scan.
In this example, I have created a repository named "examplesemgrep".
After confirming your target, you can now click on "Add CI Job".
After that, you would be prompted by this page that a yml file would be needed to commit. On the yml file, you can see values that can later be changed and edited depending on how you want Semgrep to be integrated in your project (example of change you can make is you can change which branch Semgrep would run through this yml file).
\
You will also see 3 toggle switches. These switches are self-explanatory and as is presented on the page. You can also set the integration to run daily or weekly or just toggle it off so it won't scan automatically on schedule.
After you confirm all those preliminary configurations, you can proceed on clicking "Commit file".
The next page would be the SECRETS page.
You will need to go to your GitHub Action's Secrets page in your chosen GitHub repo. You can easily access it by clicking on the link that says "your repository's secrets."
Once done, you can go back to your Semgrep Dashboard and click on "The secret's there, continue" button.
After that, it would load and tell you that the first scan is on it's way!
You can simply wait for it on the Project page until the first scan is complete.
Once the first scan is complete, you will see the results on your dashboard:
You can analyze the findings one by one by accessing the Findings tab:
You can also check the Ruleset you used on scan by accessing the Rule Board tab:
You can also create a new Rule specifically tailored for your project thru Editor tab:
After accessing and gaining familiarity with these tabs, you can easily manage findings and mark them as "fixed", "triaged" or "ignored" in this Dashboard.
From here, you can easily document findings and track your team's progress in fixing and updating the vulnerabilities found by Semgrep. You can also track them in their every code push and commits on the target repo. This would ensure coding best practices and discipline to your developers and would give ease of access to security engineers for them to analyze and handle found vulnerabilities.