DEV Community

Cover image for SecYourIT
Shubham Palriwala
Shubham Palriwala

Posted on

SecYourIT

Inspiration

Being an LFX Mentee at Kyverno this quarter, I was looking after and enchancing their Security Processes and their CI mechanisms. That is when I was exposed to the world of DevSecOps. I remember copying down the same actions multiple times. Fast forward to a month and here I am in this Github Action x DEV Hackathon 2021 where I am solving this problem so that nobody faces this again.

My Workflow

I introduce y'all to SecYourIT (read: sec-your-it-e), a 5-in-one DevSecOps reusable GitHub workflow that takes care of your project's security in the CI itself thanks to Github Actions. You can customise it based on the language of your project as it supports more than 20 languages.
It handles the following components of your project:

  • Sensitive Token Exposure [Check for Tokens or Keys being pushed]
  • Commit Authenticity Verification [Verify Commits]
  • Dependency Scanning [Scan for vulnerabilities in Dependencies]
  • SCA [Software Composition Analysis],
  • SAST [Static Application Security Testing]

Check out

GitHub logo ShubhamPalriwala / secyourit

Time to get your project some action, security action

SecYourIT

SecYourIT: Secure your IT services seamlessly with this workflow

Run SecYourIt in any of your application. Let it be a CLI, a Web-App, an App, any software, SecYourIT is there for you.

Usage

You can trigger this workflow as simple as

jobs:
    secyourit:
        uses: shubhampalriwala/secyourit/.github/workflows/secryourit.yaml@master
        with:
            signerID: 
            org: 
            path:
            language:
        secrets:
            SNYK_API_TOKEN: ${{secrets.SNYK_API_TOKEN}}
Enter fullscreen mode Exit fullscreen mode

Parameters:

Name Type Use Required Description
SignerID Input Notary Commit Verification false List of SignerID(s) (separated by space) to authenticate against. A SignerID is the signer's public address (represented as a 40 hex characters long string prefixed with 0x)
Org Input Notary Commit Verification false Organization's ID to authenticate against. Note that org takes precedence over signerID
Path Input Notary Commit Verification true Path to git working directory. Default to the current SecYourIT repo
Language Input SCA and SAST true The language is required to run

Submission Category:

Maintainer Must-Haves
DIY Deployments

Yaml File or Link to Code

name: secyourit
on:
  workflow_call:
    inputs:
      signerID:
        required: false
        type: string
      org:
        required: false
        type: string
      path:
        required: true
        type: string
      language:
        required: true
        type: string
    secrets:
      SNYK_API_TOKEN:
        required: true

jobs:
  hola-secyourit:
    name: "Welcome to SecyourIT"
    runs-on: ubuntu-latest
    steps:
      - name: Project Init
        run: echo "SecyourIT says Hi!"

  find-secrets:
    name: 'Scan for Secrets'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Find Secrets
        uses: max/secret-scan@master
        with:
          exclude_path: '.github/workflows/configuration/exclude_paths.txt'

  verify-commits-using-notary:
    name: Verify Commits using Notary
    runs-on: ubuntu-latest
    steps:
      - uses: vchain-us/verify-action@master
        with:
          signerID: ${{inputs.signerID}}
          org: ${{inputs.org}}
          path: ${{inputs.path}}

  scan-image-using-trivy:
    name: Trivy Scan Image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Scan File system suing Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH,MEDIUM'

  sca-using-snyk:
    name: Software Compositon Analysis using Snyk
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/${{inputs.language}}@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}

  sast-using-appthreat:
    name: SAST using AppThreat
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run SAST Scan by AppThreat
        uses: AppThreat/sast-scan-action@master
        with:
          type: ${{inputs.language}}
Enter fullscreen mode Exit fullscreen mode

Additional Resources / Info

Github URL

Figma Project Link

Open Source Projects that are being used in my workflow:

Discussion (0)