Welcome to the wiki!

This is where I'll document my SAST and DAST tool. As a security engineer I was in charge of setting up the application security program from scratch. At the time, the company I was with stored their code in GitHub. I wrote these 2 scripts to setup SAST and DAST. I wrote this from the perspective of a security engineer however any developer can take these pipeline scripts and place it into their projects.

Why use this tool?

So... you have meandered into the wiki and now wondering why should I use this tool over the thousands that are available elsewhere. I give you 5 reasons why.

1. Security testing automated

These tool allows your teams to automate application security testing. This tool automating runs security scans and reports findings directly to the developers, removing the security team from the process. The scripts are set to run anytime code is pushed to the main or dev branch and 3 times a year. This can all be changed in the code. Additionally the testing can be run manually. This model scales great, especially if you are bringing in more developers or third party consultants. The only manual step needed is to place the scripts into the repo but this ideally should be done by the developer and they are the owners of the codebase. No words are sweeter than "set it and forget it".

2. SARIF Reporting

The main reason I've chose to dedicate time into making these scripts is because all alerts generated gets pushed back into GitHub. This is what sets these tools apart from most other security solutions. At the end of the day it's the software engineers that need to see these alerts and address them. Instead of having them logging into another application, deliver it directly to them to a page they're always on, the repo page of their projects. Yes even for DAST the alerts are converted into SARIF (even though in theory they shouldn't).

3. ITS FREE!

These tools can be set on any public projects on GitHub for free, just give it a try. For private projects a GitHub Advanced Security license is needed.

4. Supports over 20 programming languages

These scripts are just aggregators of different tools. The underlying tools are popular open source scanners listed here. These are tested and recommended by both GitHub and GitLab. All tools are from verified creators not just some person in their basement. To be honest, I just (shamelessly) copied GitLab's game plan 😈 .

5. QA

CodeQL can scan for quality assurance related findings in addition to security vulnerabilities. This is good if you don't have an in-house QA team or have to rely on a third party. Developers can use this to find their own errors first and cut down the time it takes to go to production. Just like with the security alerts, the QA alerts are pushed back into the repo page. Of course the downside if you opt for this is your tool generates more alerts.

Restrictions

As mentioned in the "I can't believe its free" section, its only free for public projects. Furthermore its only for projects living in GitHub. For Bitbucket there is always SonarQube and you're lucky if you and/or your company is already on GitLab 🙄. Really who uses anything else other than these 3?

Closing Thoughts

GitHub is building up CodeQL and it advanced security product. For example when I first wrote these scripts CodeQL didn't cover android or IOS code. Now that coverage is in beta. Furthermore GitHub recently allowed developers to deploy CodeQL without needing to code the pipeline. However you're still limited to certain languages and rulesets. You're out of luck if you use terraform or PHP. One day I'd like to see these tools become obsolete and have GitHub offer everything in-house but its not there yet. These SAST and DAST scripts are the figurative band-aid GitHub users need now.