Github Action for Javascript Vulnerability Scanning

mattorb

Matt Smith

Posted on January 30, 2020

Github Action for Javascript Vulnerability Scanning

Github Action for Javascript Vulnerability Scanning photo credit: gisela-bonanno

Part of what is served by this web site includes 3rd party javascript libraries. The libraries included in a page are a mash-up of libraries and dependencies from a few sources.

Those libraries occasionally have security vulnerabilities disclosed. In our last post, we put in automatic checks around performance of the site. Now, let's do something to detect Javascript library vulnerabilities.

The Github Action

I found this project and whipped up the changes necessary to turn it into a Github Action. Thanks Liran! Thanks too to Snyk, which provides the vulnerability list.

I adapted an existing Docker container, wrapping a Github action around it. One way to do this without overly leaking the Github Actions contract in to the container design is to map Github action parameters to environment variables and args that are agnostic and already expected by the container like so:

env:
     SCAN_URL: ${{ inputs.scan-url }} 

... where inputs.scan-url comes from the Github Action contract (as a 'parameter') and 'SCAN_URL' is an environment variable that already works with the existing Docker container. This is in contrast to having the container need to understand how to look for 'INPUT_' prefixed vars that a Github Action provides by default (ref: github docs). If you don't want to, or can't modify the existing docker container, this is an option.

The container does still need to exit with an error to cause a Github Action to fail though. I had to modify the underlying Javascript code to accommodate that. There would not be much value in an automatic check that always passes.

Now that we have the action, we use it by creating a workflow file in .github/workflows/javascript_vulnerability_check.yml :

name: Test site for publicly known js vulnerabilities

on: 
  push:
    branches:
    - master # Check on every commit to master
  schedule:
    - cron: '0 13 * * 6' # Check once a week regardless of commits
  repository_dispatch:
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Testing for public javascript library vulnerabilities 
        uses: mattorb/is-website-vulnerable@github-action_v1 # until PR to original repo is merged
        with:
          scan-url: "https://mattorb.com"

With that in place, we see the following check run after each commit, and once a week for good measure:

Github Action for Javascript Vulnerability Scanning

Shift security left!

So. Awesome.

Now we have at least have some awareness if any of the following happens:

  • A change we make introduces a library with a vulnerability
  • A change introduced by 3rd party dependency introduces a library with a vulnerability
  • No change is made at all, but a vulnerability is discovered and published for a JS library we were already using.

Automatic checks for the win!

💖 💪 🙅 🚩
mattorb
Matt Smith

Posted on January 30, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related