This workshop is designed to help you get started with application security testing in GitHub Actions. Participants get hands-on experience with:

• GitHub Actions workflows
• Dependabot software composition analysis (SCA)
• CodeQL static application security testing (SAST) scanning
• StackHawk dynamic application security test (DAST) scanning

You can find the slide deck for this workshop here.

Not attending our workshop right now? Watch it on your own schedule.

To get the most out of this workshop, make sure you have the following prerequisites before getting started.

• Discord
  • Join the ZAPCon Server
  • Find us in the #automated-security-testing-with-github-actions channel
• GitHub - Sign up if you don't have an account

Fork the vuln_node_express app:

https://github.com/kaakaww/vuln_node_express

Go to the Code section of your newly forked repository in GitHub. Create a new file using the Add file --> Create new file button. Name the file .github/workflows/build-and-test.yml, and add the following contents:

# .github/workflows/build-and-test.yml
name: Build and Test
on:
  push: 
    branches:
      - main
  pull_request:
jobs:
  build-and-test:
    name: Build and test
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Install Node.js 14.x
        uses: actions/setup-node@v2
        with:
          node-version: 14.x
          cache: npm
      - name: Install dependencies
        run: npm install
      - name: Run unit tests
        run: npm test

Commit the change.

Go to the Actions section of your repository, and you should see the new workflow running.

Go to the Settings section of your repo, and find the Security & analysis section in the left pane. Enable the Dependency graph, Dependabot alerts, and Dependabot security updates features in this section. Dependabot is now configured.

Go to the Security section of your GitHub repo, and click into the Dependabot alerts on the left pane. Examine some of the dependency alerts, and see if you can resolve them.

Go to the Security section of your repo. Click on Set up code scanning. Find the CodeQL Analysis code scanning tool, and click Set up this workflow.

Examine the GitHub Actions workflow, .github/workflows/codeql-analysis.yml, and commit it to the repo.

Now go to the Actions section of your repo, and watch your new CodeQL workflow run.

When CodeQL has finished, examine the results in the Security section under Code scanning alerts in the left pane.

Sign up for a StackHawk Developer account. Follow the Get Started flow to create your StackHawk API key and first application.

Stash your StackHawk API key in GitHub Secrets. In your repo, navigate to the Settings section, and find Secrets in the left pane.

Add a secret named HAWK_API_KEY, and add your StackHawk API key as the value.

Download the stackhawk.yml file that you created in the Get Started flow in the StackHawk platform. Copy the contents into a new file at the base of your repo named stackhawk.yml. Commit the file.

Update your Build and Test workflow. Add a step to start the vuln_node_express, and a step to run HawkScan using the StackHawk Action at the end:

# .github/workflows/build-and-test.yml
name: Build and Test
on:
  push: 
    branches:
      - main
  pull_request:
jobs:
  build-and-test:
    name: Build and test
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Install Node.js 14.x
        uses: actions/setup-node@v2
        with:
          node-version: 14.x
          cache: npm
      - name: Install dependencies
        run: npm install
      - name: Run unit tests
        run: npm test
      - name: Daemonize our Node API service
        run: npm run start &
      - name: Run HawkScan
        uses: stackhawk/hawkscan-action@v1.3.4
        with:
          apiKey: ${{ secrets.HAWK_API_KEY }}

Commit this change.

Go to the Actions section of your repo, and watch your updated Build and Test workflow run. Examine the Run HawkScan step console logs.

Check your scan results on the StackHawk platform.

To make the HawkScan break your build for high severity alerts, add the following section to the end of your stackhawk.yml configuration file at the root of your repository.

hawk:
  failureThreshold: high

Rerun your GitHub Actions workflow, and check to make sure the scan succeeds and the Action run fails due to your new failure threshold being exceeded. Triage all high severity alerts in the StackHawk platform. After triaging all high severity alerts, you should be able to rerun the Actions workflow, and the workflow should succeed.

You just automated SCA, SAST, and DAST scanning with GitHub Actions!

Read more about GitHub Actions, CodeQL, and Dependabot. And check out the GitHub Actions Marketplace, where you can find other Actions to build out your pipeline.

Finally, here are some additional resources for tuning StackHawk to scan your applications.

• HawkDocs, where you can read all the details on how to configure and run HawkScan in your environment.
• Authenticated Scanning - Guides for authenticating HawkScan to your application for deeper scans.
• Continuous Integration, where you can see our guides for integrating HawkScan with the most popular CI/CD systems.
• StackHawk Blog, with technical tips, tricks, and walkthroughs to help you secure and test your applications.