Add InsightAppSec Scans into your GitHub Workflow
Scan for vulnerabilities and prevent potential exploits before publishing changes to your production environment by using the InsightAppSec integration with GitHub Actions. You can include InsightAppSec scans in your CI/CD build pipeline workflow by adding the scan action and subsequent steps to your GitHub workflow.
How does this integration work?
Let's walk through the interactions between GitHub, GitHub Actions, and InsightAppSec to better understand this integration.
- An event in GitHub triggers the workflow in GitHub Actions.
- GitHub Actions sends a scan request to InsightAppSec.
- The scan runs in InsightAppSec. You can view progress in both InsightAppSec and GitHub.
- After the scan completes, InsightAppSec sends the scan results back to GitHub, where you can view a summary of the results.
- The workflow advances.
You can add scan gating to prevent vulnerable code from being deployed to production. If there are results from the vuln-query
, the job is marked as failed.
Scan gating
You can set gating criteria with this integration to prevent risky code from entering your production environment. One way to use scan gating is to set build pass/fail criteria for vulnerabilities. When the scan finds vulnerabilities that meet or exceed your gating criteria, you can set a step to follow, such as failing the workflow so that code is not deployed to production.
The scan gating query can be anything the search vulnerability
endpoint can accept, not just limited to severity. For more information, see the InsightAppSec API documentation.
Example: Use scan gating to prevent vulnerable code from being deployed to production.
In this example, we will create a workflow with scan gating so that the build will fail if high severity vulnerabilities are discovered in the scan.
Add a workflow
- In your GitHub repository, click the Actions tab.
- Customize and add the following to a new yaml workflow file, using the
vuln-query
field to set gating criteria:yaml1name: IAS Scan2on:3push:4branches: [ master ]5jobs:6scan:7runs-on: ubuntu-latest8steps:9- id: my-scan10uses: rapid7/insightappsec-scan-github-actions@v1.1.011with:12region: "us"13api-key: ${{ secrets.IAS_API_KEY }}14scan-config-id: "999703e4-a4p0-4ea6-a3sc-53cg789e4fc1"15vuln-query: "vulnerability.severity = 'HIGH'"16- name: Upload findings17if: always()18run: echo "${{ steps.my-scan.outputs.scan-findings }}"
Run a build
- Commit to GitHub.
- The commit starts the build workflow in GitHub Actions.
- In GitHub Actions, the actions are built and deployed.
- GitHub Actions sends a scan request to InsightAppSec.
- The scan runs in InsightAppSec. You can view progress in both InsightAppSec and GitHub.
- After the scan completes, InsightAppSec sends the scan results back to GitHub.
- Depending on your scan and actions configurations, one of the following happens:
- If there are no vulnerabilities that meet your gating criteria, the workflow completes and is published to production.
- If there are one or more vulnerabilities that match your gating criteria, the workflow fails which, in this case, is
severity = High
.
What you'll need
To make your configuration easier, have the following pieces of information available:
- InsightAppSec API key
- Scan Config ID of the InsightAppSec scan that you want to run
Integrate InsightAppSec in GitHub
- Add the InsightAppSec API Key as a secret in GitHub, otherwise the action won't work. See the GitHub documentation for information about adding API keys as secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
- Access the Rapid7 InsightAppSec action in one of the following ways:
- Search for Rapid7 in the Github Marketplace. Select InsightAppSec Scan and click Use Latest Version.
- Go directly to the Rapid7 repository for the action.
Add the InsightAppSec scan as an action to your GitHub workflow
In your GitHub workflow YML file, add the following to the jobs:
section, using your own details:
yaml
1scan:2runs-on: ubuntu-latest3steps:4- id: my-scan5uses: rapid7/insightappsec-scan-github-actions@v1.1.06with:7region: "us"8api-key: ${{ secrets.IAS_API_KEY }}9scan-config-id: "999703e4-a4p0-4ea6-a3sc-53cg789e4fc1"10vuln-query: "vulnerability.severity = 'MEDIUM'"11- name: Upload findings12if: always()13run: echo "${{ steps.my-scan.outputs.scan-findings }}"
Update to a new version
When a new version of the extension is available, manually update the uses:
value in the yaml file with the new version number.
How will I know if there's a new version available?
The InsightAppSec release notes will include any updates to the extension. You can also check GitHub Marketplace for updates.
When an update is applied, manually update the version in the yaml file for the action.
View results
During the scan, you can view scan progress in both GitHub and InsightAppSec on the Scanning Activity page.
When the scan completes and the results are automatically sent back to GitHub, you can view your results in the build results and in InsightAppSec.