Inserting security in GitHub pull requests! — Part 2 (using GitHub Actions)

This post builds up in a previous post about inserting code analysis into GitHub pull requests, in this post, we will focus on implementing this workflow based on GitHub Actions for a Java project— “actual code snippets and video to follow”

We can configure the entire workflow for analyzing a Java app in four simple steps.

Add “ShiftLeft code analysis” into your build action.

You can create a specific action (coming soon) or you may simply invoke code analysis from build Action workflow. In this case we can assume that we have a “main.yml” workflow file in your source code repository in the path

<project-name>/.github/workflows/main.yml

in your main.yml file, you can add following snippet to follow your build job. Essentially this snippet adds a small code to execute a shell script that runs the analysis.

Now, we need to add a file names sl-analysis.sh with the below code to the root of the project code repository (you can change the name if you do make the change in above snippet too).

PS:- Add your JAR/WAR file name analyze code step

#!/bin/sh
GITHUB_BRANCH=${GITHUB_REF##*/}
GITHUB_PROJECT=${GITHUB_REPO##*/}
PULL_REQUEST=$(curl "https://api.github.com/repos/$GITHUB_REPO/pulls?state=open" \
  -H "Authorization: Bearer $GITHUB_TOKEN" | jq ".[] | select(.merge_commit_sha==\"$GITHUB_SHA\") | .number")
  
echo "Got pull request $PULL_REQUEST for branch $GITHUB_BRANCH"
# Install ShiftLeft
curl https://www.shiftleft.io/download/sl-latest-linux-x64.tar.gz > /tmp/sl.tar.gz && sudo tar -C /usr/local/bin -xzf /tmp/sl.tar.gz
# Analyze code
sl analyze --version-id "$GITHUB_SHA" --tag branch="$GITHUB_BRANCH" --app "$GITHUB_PROJECT" --java --cpg --wait <jar/war file name>
# Run Build rule check  
URL="https://www.shiftleft.io/violationlist/$GITHUB_PROJECT?apps=$GITHUB_PROJECT&isApp=1"
BUILDRULECHECK=$(sl check-analysis --app "$GITHUB_PROJECT" --branch "$GITHUB_BRANCH")
if [ -n "$BUILDRULECHECK" ]; then
    PR_COMMENT="Build rule failed, click here for vulnerability list! - $URL"  
    echo $PR_COMMENT
    curl -XPOST "https://api.github.com/repos/$GITHUB_REPO/issues/$PULL_REQUEST/comments" \
      -H "Authorization: Bearer $GITHUB_TOKEN" \
      -H "Content-Type: application/json" \
      -d "{\"body\": \"$PR_COMMENT\"}"
    exit 1
else
    PR_COMMENT="Build rule succeeded, click here for vulnerability list! - $URL" 
    echo $PR_COMMENT
    curl -XPOST "https://api.github.com/repos/$GITHUB_REPO/issues/$PULL_REQUEST/comments" \
      -H "Authorization: Bearer $GITHUB_TOKEN" \
      -H "Content-Type: application/json" \
      -d "{\"body\": \"$PR_COMMENT\"}"
    exit 0
fi

The previous steps require that you have an appropriate ShiftLeft Inspect license and have added the necessary tokens (Org ID, Access Token, and API Token) as environment variables for your GitHub pipelines. You also need to configure a GITHUB token in GitHub for API access. The script above also assumes you have configured your build rules as explained below.

Configure Build rules

ShiftLeft Inspect has a powerful build rule feature where you can define the security approval conditions for a merge/pull request. To invoke it during the merge request approval process, check-in a file named shiftleft.yml in the root repository of your project code repository. A sample code snippet for shiftleft.yml file is below.

Configure static analysis and run as mandatory status check for GITs

Making mandatory checks on GIT through branch protection

A Git administrator can configure any tool to be run as part of a pull request as mandatory status-check. ShiftLeft Inspect code analysis as a mandatory status-check can be enabled through branch protection rules.

Bringing it all together

Now we are all set. Here is a quick video of the workflow in action.

You can try ShiftLeft for free by signing up here.