Securing your deployment with scanning using GitHub Actions

Security scanning of code, before, during, and after deployment is a great way to enhance the security of any project. Knowing that your code is being analysed for issues before deployment, during the build phase, and then after deployment when you are in the support/run phase, can really help to improve the security posture of an environment, with minimal effort required to conduct the scanning. Whilst, in an ideal world, all of these checks would take place before the deployment – it still makes sense to analyse retrospectively, as you can then remediate environments as additional scans or tools are added and updated.

Overview

I have recently been using this with my own repositories and leveraging GitHub actions to perform analysis and log security issues that I can then address. In this case, the repo contains Terraform code that is used to deploy Azure Resources – so I am using two security tools within GitHub Actions. Both of the tools below are easy to deploy and really useful when working with Terraform across Public Cloud providers:

Worth noting here that there are lots of other tools out there that offer similar capability – and cover different code bases and requirements!

Both of these tools provide a scanning capability that allows me to scan code within my repo as required, and then log these (by creating SARIF files) as a Code Scanning Alert within the repo:

When the scans have completed, I can then look into the open alerts:

We now have a long list of open alerts we can work through!

GitHub Actions Setup

To setup either of these scans, we need to create actions within the GitHub repo. Thankfully, both are super easy to do – we just need to create a new YAML file and store it in the usual .github/workflows folder. The YAML for both scans I am using is available below:

TFSec:

name: Run TFSec Analysis
on: [workflow_dispatch]

jobs:
  tfsec:
    name: tfsec sarif report
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@master

      - name: tfsec
        uses: tfsec/tfsec-sarif-action@master
        with:
          sarif_file: tfsec.sarif          

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: tfsec.sarif         

Terrascan:

name: Run Terrascan
on: [workflow_dispatch]

jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Run Terrascan
      id: terrascan
      uses: accurics/terrascan-action@main
      with:
        iac_type: 'terraform'
        iac_version: 'v14'
        policy_type: 'azure'
        only_warn: true
        sarif_upload: true
        #non_recursive:
        #iac_dir:
        #policy_path:
        #skip_rules:
        #config_path:
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: terrascan.sarif

As you can see, I am using [workflow_dispatch] so I can run these scans manually as required – but you may wish to change this to [push] if you are wanting automated scanning every time changes are made to the code, or use a schedule if you want these to run at specified intervals. If you use the sample YAML files I’ve created above, running the scans is a manual step, which is outlined below:

Conclusion

As you can see, this is a quick and easy way to bring additional security scanning and checks into your code, and the use of GitHub actions provides a great way to automate this. It makes sense to include a basic level of checking even when there is no requirement for continual checks. Just having this type of scan setup can assist in preventing issues before they make it to a real environment, or help to identify an issue post deployment as new checks/scans are introduced.