Inspiration
Being an LFX Mentee at Kyverno this quarter, I was looking after and enchancing their Security Processes and their CI mechanisms. That is when I was exposed to the world of DevSecOps. I remember copying down the same actions multiple times. Fast forward to a month and here I am in this Github Action x DEV Hackathon 2021 where I am solving this problem so that nobody faces this again.
My Workflow
I introduce y'all to SecYourIT (read: sec-your-it-e), a 5-in-one DevSecOps reusable GitHub workflow that takes care of your project's security in the CI itself thanks to Github Actions. You can customise it based on the language of your project as it supports more than 20 languages.
It handles the following components of your project:
- Sensitive Token Exposure [Check for Tokens or Keys being pushed]
- Commit Authenticity Verification [Verify Commits]
- Dependency Scanning [Scan for vulnerabilities in Dependencies]
- SCA [Software Composition Analysis],
- SAST [Static Application Security Testing]
Check out
ShubhamPalriwala
/
secyourit
Time to get your project some action, security action
SecYourIT: Secure your IT services seamlessly with this workflow
Run SecYourIt in any of your application. Let it be a CLI, a Web-App, an App, any software, SecYourIT is there for you.
Usage
You can trigger this workflow as simple as
jobs:
secyourit:
uses: shubhampalriwala/secyourit/.github/workflows/secryourit.yaml@master
with:
signerID:
org:
path:
language:
secrets:
SNYK_API_TOKEN: ${{secrets.SNYK_API_TOKEN}}
Parameters:
| Name | Type | Use | Required | Description |
|---|---|---|---|---|
| SignerID | Input | Notary Commit Verification | false | List of SignerID(s) (separated by space) to authenticate against. A SignerID is the signer's public address (represented as a 40 hex characters long string prefixed with 0x) |
| Org | Input | Notary Commit Verification | false | Organization's ID to authenticate against. Note that org takes precedence over signerID |
| Path | Input | Notary Commit Verification | true | Path to git working directory. Default to the current SecYourIT repo |
| Language | Input | SCA and SAST | true | The language is required to run |
Submission Category:
Maintainer Must-Haves
DIY Deployments
Yaml File or Link to Code
name: secyourit
on:
workflow_call:
inputs:
signerID:
required: false
type: string
org:
required: false
type: string
path:
required: true
type: string
language:
required: true
type: string
secrets:
SNYK_API_TOKEN:
required: true
jobs:
hola-secyourit:
name: "Welcome to SecyourIT"
runs-on: ubuntu-latest
steps:
- name: Project Init
run: echo "SecyourIT says Hi!"
find-secrets:
name: 'Scan for Secrets'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Find Secrets
uses: max/secret-scan@master
with:
exclude_path: '.github/workflows/configuration/exclude_paths.txt'
verify-commits-using-notary:
name: Verify Commits using Notary
runs-on: ubuntu-latest
steps:
- uses: vchain-us/verify-action@master
with:
signerID: ${{inputs.signerID}}
org: ${{inputs.org}}
path: ${{inputs.path}}
scan-image-using-trivy:
name: Trivy Scan Image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Scan File system suing Trivy
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
sca-using-snyk:
name: Software Compositon Analysis using Snyk
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/${{inputs.language}}@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}
sast-using-appthreat:
name: SAST using AppThreat
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run SAST Scan by AppThreat
uses: AppThreat/sast-scan-action@master
with:
type: ${{inputs.language}}
Additional Resources / Info
Open Source Projects that are being used in my workflow:
- Max/Secret-Scan to scan for tokens and sensitive date
- VChain-US/Verify-Action to verify the authenticity of the commits
- AquaSecurity/Trivy-Action to scan the file system and the dependencies for vulnerabilities
- Snyk/Actions to perform Software Composition Analysis
- AppThreat/sast-scan-action to perform Static Application Security Testing
Top comments (0)