DEV Community

Cover image for Detect vulnerable libraries within your GitHub environments for free
Orlandov14 for CodeSec by Contrast Security

Posted on • Updated on

Detect vulnerable libraries within your GitHub environments for free

Combine the power of GitHub Actions for automated Continuous Integration/Continuous Deployment (CI/CD) pipelines with Contrast Security’s powerful free developer tool, CodeSec, to identify vulnerable dependencies in your Java, .NET, NodeJS, Ruby, Python, Go or PHP projects.

The first step is to install CodeSec locally. CodeSec is at the free tier of Contrast Security’s product suite. It is very easy to install with either Homebrew, npm or straight from binary. You can find CodeSec at Contrast’s Developer Central online portal.

Once CodeSec is installed on your machine, you will need to run the command contrast config. This will give you the CodeSec account keys that you can use in your project’s GitHub Actions configuration file.

CodeSec config keys

CodeSec config keys

Second, you need to set those keys as secrets in your GitHub repository’s settings. This is available in your GitHub project repository on the Settings tab, Security section, Secrets option, Actions sub-option. Add secrets with the names CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER along with their corresponding values from the contrast config command.

CodeSec + GitHub

Add GitHub repository secrets

With those config keys set as repository secrets, you are now ready to use the Contrast SCA GitHub Action. Contrast SCA is an enterprise-level cybersecurity tool that identifies vulnerabilities in the third-party components that your project uses.

The Contrast SCA GitHub Action page gives examples of GitHub Action configuration files for use with several different languages. In this article we will walk through an example of using the NodeJS config file.

Create a new Git branch in your project with git checkout -b your-branch-name.

CodeSec SCA + GitHub

Create a new Git branch

Next, create a new GitHub Actions build file at ./.github/workflows/build.yml, if your project does not have one yet. If it does, you may want to just edit your existing file.

CodeSec SCA + GitHub

New GitHub Actions build configuration file

Then, in the build.yml file, add the job to run the Contrast SCA action. Use the Node template from the Contrast SCA GitHub Action page. Be sure that it uses the CodeSec config secrets that you made at the beginning of the article! Note: One difference from the template is that we won’t specify the apiUrl setting and will let Contrast SCA default to the free Community Edition of the Contrast tool suite server. You will also need to customize the path to your project’s config files and make sure that you target branch “main”, which is the default name of the repository’s primary branch on GitHub.

CodeSec SCA + GitHub

Example build.yml for a NodeJS project

Back on the command line, add the new file to your local Git repository, commit the changes and then push it up to your remote GitHub repository.

CodeSec SCA + GitHub

Git add, commit and push your new build file

The output of git push gives you a URL to use to create the pull request for your changes. In this example, it was https://github.com/JacobMagesHaskinsContrast/resource-mon/pull/new/add-sca-check.

CodeSec SCA + GitHub

Pull request on the GitHub repository

After merging the changes, you can look at the Actions tab and see that “SCA Node” is now an available workflow that runs in your repository.

CodeSec SCA + GitHub

SCA Node workflow in the repository actions

If your project has a vulnerability, like the deliberate example vulnerability in this project, you can click on the workflow’s run to see its details. In the details, you can find the specific vulnerabilities in libraries that your project uses, along with advice on fixing them.

CodeSec SCA + GitHub

Contrast SCA GitHub Action results

Conclusion

GitHub Actions are a powerful tool. Much could be written on all the various options available for using them to power your project’s CI/CD pipelines. The Contrast SCA GitHub Action, when paired with CodeSec, is a strong new tool for securing your project from cybersecurity threats.

Test out Contrast SCA’s newest GitHub Action feature for yourself with CodeSec!

To learn more about Contrast's new GitHub Action:

Click here for our video tutorial.
Click here to check us out on GitHub Marketplace.

Top comments (2)

Collapse
 
orlandov14 profile image
Orlandov14

Comment below if you have any questions!

Collapse
 
theaccordance profile image
Joe Mainwaring • Edited

Curious, does this service differ any from Dependabot alerts? I can get CVEs using that.