GitHub Actions Security Blog: Pipeline Native Code Analysis

Contrast Security, the leader in next-gen code security, today announced its partnership with GitHub and the availability of its suite of GitHub Actions, simplifying the process for developers to ensure the code they build is free of security vulnerabilities. By partnering with the world’s largest developer community, GitHub, Contrast has made automating security testing within native pipelines far more accessible. Contrast Security's home-grown GitHub Actions enable developers to embed security testing across multiple phases of the development lifecycle. We are kicking off this partnership with our new, four-part blog series detailing how Contrast Security's new GitHub Actions security scan can help automate secure coding with each commit, pull request and deployment.

For part one, we’ll take a deeper look at our new GitHub Action for Contrast Scan, Contrast Security’s static code analyzer solution, with parts two through four diving into how to automate secure code delivery in distributed cloud environments - specifically Amazon’s Elastic Kubernetes Service (EKS) and Microsoft’s Azure Kubernetes Service (AKS), and Azure Spring Cloud.

One of the biggest blockers preventing wider developer adoption of security tools is the stigma of manually scanning, waiting for results, and then sifting through false positives. Contrast has curated our security solutions to enable developers to get secure code moving through their native pipelines by embedding within the tools they already use. The GitHub Action for Contrast Scan allows developers to test their project within their existing GitHub CI/CD environment with no need to switch screens between GitHub and the Contrast UI. Developers can trigger automated security scans with each commit or pull request and receive results directly within their GitHub project. AppSec Managers who are struggling to foster adoption within their development teams can now have the assurance that security is being embedded within their native CI workflows. No need to customize rules and make the hard choice between speed or accuracy. 

Shifting code analysis left within the development process is only as good as the engine behind the results. Thankfully Contrast Scan is purpose-built to be pipeline native. Instead of taking a waterfall approach and scanning monolithic applications, Contrast Scan is engineered to operate within modern pipelines so that developers can make secure code analysis as routine as checking a build or submitting a pull request. Security scans can be initiated through a command-line interface (CLI) option, build automation (e.g., Maven, Gradle), through a simple API call, and now through GitHub Actions.

We can wax poetic about secure code automation all day long, but let’s see Contrast’s GitHub Actions for code analysis in, well…action!

Contrast’s GitHub Actions are available today with support for Java applications, and additional language support is in development including new GitHub Actions for .NET and JavaScript applications. Contrast is also actively investing in developer efficiency and ease-of-use by allowing users to try our products for free by simply registering with their GitHub credentials. More details will be announced in the coming months.  

In the meantime, feel free to check out Contrast DecSec, our online developer community, for some in-depth How-To guides about how you can implement Contrast into your GitHub CI/CD workflows.