Last week we launched code scanning out of beta and have since announced integrations with static analysis and developer security training solutions. By expanding our GitHub security ecosystem, developers can use their tools of choice for any of their projects on GitHub, all within the native GitHub experience they love. Our integrations tightly couple the developer workflow with a security review through GitHub Actions and Apps.
But, security doesn’t stop at static analysis. That’s why we’ve enabled other security tools that support the Static Analysis Results Interchange Format (SARIF). Today, we’re happy to introduce additional support for container scanning as well as standards and configuration scanning for infrastructure as code.
Code scanning’s extensibility enables teams to orchestrate security reviews throughout the software development lifecycle – using static analysis tools while coding, managing software supply chain security using Dependabot, scanning build artifacts with container scanning, and scanning configuration before deployment to a cloud service provider.
These integrations unlock key objectives identified by the DevSecOps and “shifting left” movements and help make security an integral part of the development life cycle. Stay tuned as we continue to advance toward these objectives through additional native capabilities and integrations with third-party tools.
Check out the integrations available on the GitHub Marketplace or navigate to the Advanced Security tab and configure a workflow for a third-party solution – you’ll find all these integrations available directly in the GitHub code scanning UI with a pre-configured workflow or GitHub App available!
Third-party code scanning tools: infrastructure as code and OpenAPI testing
42Crunch
The REST API Static Security Testing Action lets you add an automatic static application security testing (SAST) task to your CI/CD workflows and PR checks. The action checks your OpenAPI files for their quality and security from a simple Git push to your project repository when the CI/CD workflow runs.
The action is powered by 42Crunch API Contract Security Audit. Security Audit performs a static analysis of the API definition that includes more than 200 checks on best practices and potential vulnerabilities on how the API defines authentication, authorization, transport, and data coming in and going out.
Accurics
Accurics envisions a world where organizations can innovate with confidence. Its mission is to enable cyber resilience through self-healing security as organizations embrace cloud native infrastructure. The Accurics platform programmatically detects and resolves risks across Infrastructure as Code to reduce the attack surface before infrastructure is provisioned. It maintains the secure posture in runtime by mitigating risks from changes to the infrastructure. Accurics provides free and commercial tools so that all organizations can achieve cyber resilience.
Bridgecrew
Bridgecrew is the developer-first platform streamlining cloud security from commit to cloud. Powered by automation, Bridgecrew enables teams big and small to find, fix, and prevent cloud misconfigurations. The Bridgecrew platform addresses errors both in run-time, with support for AWS, Kubernetes, Azure, and Google Cloud, and in build-time, with support for Terraform, CloudFormation, Serverless Framework, and more. With its’ native version control systems and CI/CD integrations, Bridgecrew embeds cloud security earlier in the development lifecycle and makes it accessible, efficient, and fast.
#partners #code
