Security scanning in CI

[daniel-ac-martin]

It would be nice to have some sort of security scanning functionality in CI to try to catch any security problems.

SCA / Dependency scanning

• Snyk? (sketchy PNPM support?)
• OWASP Dependency Check?
• https://github.com/marketplace/actions/dep-scan
• Trivy for Docker images?: https://www.aquasec.com/products/trivy/
  • Scan latest tag?

SAST

• https://github.com/AppThreat/sast-scan (discontinued)
• https://github.com/ShiftLeftSecurity/sast-scan
• SonarQube? (how?)

DAST

Perhaps with ZAP?

Could like at this: https://github.com/marketplace/actions/owasp-zap-full-scan
Also: https://github.com/marketplace/actions/owasp-zap-baseline-scan
(But it might be better to have a way to run it locally as well.)

For APIs (inc. GraphQL) perhaps we should consider: https://github.com/zaproxy/action-api-scan

See also:

• https://jerrygamblin.com/2020/08/27/build-an-open-source-appsec-pipeline-using-github-actions/
• https://github.com/AppThreat
• https://slscan.io/

[daniel-ac-martin]

It looks like SLScan might do everything aside from DAST.
So the solution might just be SLScan + ZAP.

[daniel-ac-martin]

Looks like SLScan doesn't actually do proper SAST on Type/JavaScript.

[daniel-ac-martin]

Sounds like it used to do it with njsscan.
I've asked whether they will do it again in the future: ShiftLeftSecurity/sast-scan#367

[daniel-ac-martin]

Looks like SLScan is deprecated: ShiftLeftSecurity/sast-scan#352
But it might still be the best open-source option. (When combined with a separate SAST tool for TypeScript.)

[daniel-ac-martin]

CodeQL looks good for most of the static side. (Besides dependencies.)
Possibly, we could use Snyk for dependencies with https://www.npmjs.com/package/snyk-pnpm-deptree-api-tool
Zap is probably good for dynamic/DAST but we need to find a way to stand-up a copy of the app in CI.

[daniel-ac-martin]

OWASP dependency check supports SARIF output and so might fit well with CodeQL.

[daniel-ac-martin]

Perhaps we should replace SLScan with https://github.com/marketplace/actions/dependency-check ?
It seems to be lighter weight and should integrate with GitHub via SARIF output.
(Snyk might be another option but depends on a SaaS account.)

[daniel-ac-martin]

Can we use ZAP's API scanner?: https://github.com/zaproxy/action-api-scan

[daniel-ac-martin]

Can we scan Docker images with Trivy?: https://www.aquasec.com/products/trivy/

[daniel-ac-martin]

Trivy in GitHub Actions: https://blog.aquasec.com/trivy-github-actions-security-cicd-pipeline

[prabhu]

@daniel-ac-martin I am working on a proper OSS SAST tool for javascript/typescript that is powered by joern. Will get in touch with you as soon as it's ready.