Security scanning in CI

daniel-ac-martin / NotGovUK

An implementation of the GOV.UK Design System in React that provides support for writing internal applications in addition to public ones.

https://not-gov.uk/

MIT License

27 stars 8 forks source link

Security scanning in CI #487

Open daniel-ac-martin opened 2 years ago

daniel-ac-martin commented 2 years ago

It would be nice to have some sort of security scanning functionality in CI to try to catch any security problems.

SCA / Dependency scanning

Snyk? (sketchy PNPM support?)
OWASP Dependency Check?
https://github.com/marketplace/actions/dep-scan
Trivy for Docker images?: https://www.aquasec.com/products/trivy/
- Scan latest tag?

SAST

https://github.com/AppThreat/sast-scan (discontinued)
https://github.com/ShiftLeftSecurity/sast-scan
SonarQube? (how?)

DAST

Perhaps with ZAP?

Could like at this: https://github.com/marketplace/actions/owasp-zap-full-scan Also: https://github.com/marketplace/actions/owasp-zap-baseline-scan (But it might be better to have a way to run it locally as well.)

For APIs (inc. GraphQL) perhaps we should consider: https://github.com/zaproxy/action-api-scan

See also:

daniel-ac-martin commented 2 years ago

It looks like SLScan might do everything aside from DAST. So the solution might just be SLScan + ZAP.

daniel-ac-martin commented 2 years ago

Looks like SLScan doesn't actually do proper SAST on Type/JavaScript.

daniel-ac-martin commented 2 years ago

Sounds like it used to do it with njsscan. I've asked whether they will do it again in the future: https://github.com/ShiftLeftSecurity/sast-scan/issues/367

daniel-ac-martin commented 2 years ago

Looks like SLScan is deprecated: https://github.com/ShiftLeftSecurity/sast-scan/issues/352 But it might still be the best open-source option. (When combined with a separate SAST tool for TypeScript.)

daniel-ac-martin commented 2 years ago

CodeQL looks good for most of the static side. (Besides dependencies.) Possibly, we could use Snyk for dependencies with https://www.npmjs.com/package/snyk-pnpm-deptree-api-tool Zap is probably good for dynamic/DAST but we need to find a way to stand-up a copy of the app in CI.

daniel-ac-martin commented 2 years ago

OWASP dependency check supports SARIF output and so might fit well with CodeQL.

daniel-ac-martin commented 2 years ago

Perhaps we should replace SLScan with https://github.com/marketplace/actions/dependency-check ? It seems to be lighter weight and should integrate with GitHub via SARIF output. (Snyk might be another option but depends on a SaaS account.)

daniel-ac-martin commented 2 years ago

Can we use ZAP's API scanner?: https://github.com/zaproxy/action-api-scan

daniel-ac-martin commented 2 years ago

Can we scan Docker images with Trivy?: https://www.aquasec.com/products/trivy/

daniel-ac-martin commented 2 years ago

Trivy in GitHub Actions: https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline

prabhu commented 1 year ago

@daniel-ac-martin I am working on a proper OSS SAST tool for javascript/typescript that is powered by joern. Will get in touch with you as soon as it's ready.