As a long-time developer and architect, security is important in everything I do. Having clean code and up-to-date libraries helps, but there are new vulnerabilities every day. One of the main concepts of DevOps is shifting left on things like testing and security. Shifting left means doing things as early in the process as possible to improve quality and security.
Many people also don’t consider where their code is hosted other than being bundled with other software or supporting git or TFVC. I think that GitHub has changed that discussion completely by incorporating many security and developer-focused features that enables a shift-left mentality. Common maintenance tasks can be automated and every check-in can be scanned for secrets and vulnerabilities. These features are in addition to any quality checks you add to your normal pipelines.
GitHub also has strong integrations with multiple platforms and systems. GitHub lets me integrate with Azure DevOps for Boards and Pipelines or other systems. This lets me keep my current workflow while upgrading my security and quality.
Let’s look at three of the features that can Shift Left on Security and help us develop better software.
Software is always changing, including our dependencies. Not putting the time or effort into upgrading packages, libraries, and other dependencies can lead to vulnerabilities in our software. Dependabot takes care of that work for you. Dependabot can automatically update packages from npm, nuget, pip, docker and more. Dependabot automatically scans for outdated packages using semantic versioning (semver) to decide if it should update the package or not. If Dependabot finds something that needs updating, it creates a pull request (PR) updating the package reference. The Pull Request includes the changelog of the package, release notes, and sometimes a compatibility score to let you know if updating the package might cause issues. You can verify your tests pass and merge with confidence.
Enabling Dependabot is as easy as visiting the Security & Analysis section of the settings.
Anyone with access to a repository that has secrets checked in could use that information to access the services leading to anything from a data breach to out-of-control costs. There used to be stories all over the news about checked-in keys and secrets being used to create VMs and resources for bitcoin mining, causing massive cloud bills or unauthorized access to systems and data. Many of these scenarios are automatically stopped now by catching keys as they go into repositories.
GitHub automatically scans every public repository for known types of secrets. Every push is scanned for credentials, tokens, secrets or keys from many service providers like Azure, AWS, Google Cloud, npm, nuget and more.
GitHub has partnered with those service providers to check if the credentials are valid, potentially revoking or reissuing credentials. This is a very common way attackers target organizations and GitHub’s solution helps prevent it.
One of the newest features is Code Scanning and GitHub Advanced Security. This builds on the amazing work of Semmle and CodeQL. There are thousands of CodeQL queries written by GitHub and security researchers identifying CVEs (Common Vulnerabilities and Exposures) and other security issues. Code Scanning works by scanning your code with CodeQL, where your code is treated like data. CodeQL can identify security issues including variants across your codebase. Code Scanning integrates with GitHub Actions to ensure that every check-in is safe.
Code scanning is free for public repositories. For private repositories, code scanning is available to GitHub Enterprise through Advanced Security. To enable Code Scanning, go to the Security tab of the repository. Here you can click Set up code scanning and create a workflow that scans your code.
The three capabilities I discussed are a small slice of the security focus GitHub brings to development. DevSecOps, adding a Security focus to DevOps, is gaining a lot of traction and attention. In addition to securing your code and repositories, you should secure your pipelines and environments. The Microsoft Business Group has helped many organizations setup GitHub, migrate code and pipelines, and leverage GitHub Actions to build and deploy their code. We have the expertise that can help your migration or DevSecOps efforts successful. Contact us today to help improve your Software Deliver Performance.
About the Author
Chris Ayers is the Regional Lead for the Intelligent Cloud practice. Chris focuses on both Azure and DevOps. His goal is deliver value to end users faster, develop features more quickly, with higher quality, and more confidence. Chris has been developing software of some kind since second grade. Chris always tried to learn and share industry best practices around software development, software architecture, and agile practices. Chris enjoys spending time with family, playing video games, playing board games, reading, mentoring others, blogging, and public speaking.