GitHub Actions

GitHub announced their own CI/CD system which is integrated into the user interface and called Github Actions. We added RIPS to the GitHub marketplace which enables you to integrate our leading code analysis directly into your GitHub workflow. It works as a security gateway and fails your build if RIPS finds new security vulnerabilities.

Setting up a new workflow is quickly done via the Actions tab of your repository. GitHub automatically creates a new configuration file (YAML) in your .github/workflows directory. In the following, we show you how to modify this configuration file to add RIPS as a build step.

Configuration

To use the rips/github-action-scan@v1 action, it is required to first check out your project into the working directory. This is done in lines 2 to 4. Since RIPS does not require the project history for analysis, we recommend disabling it to reduce the upload size.

.github/workflows/example-workflow.yaml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
steps:
- uses: actions/checkout@v1
  with:
    fetch-depth: 1
- uses: rips/github-action-scan@v1
  env:
    RIPS_BASE_URI: "https://api-3.ripstech.com"
    RIPS_EMAIL: ${{ secrets.RIPS_EMAIL }}
    RIPS_PASSWORD: ${{ secrets.RIPS_PASSWORD }}
  with:
    application-id: 923
    additional-parameters: --threshold critical:0

Next, we configure the actual analysis step. Your secret credentials for RIPS have to be configured in the settings of the repository (line 7 to 9). More information about handling secrets in GitHub can be found here. RIPS also needs to know which application you want to use for storing the analysis results (line 11). You can retrieve the application-id from the actual RIPS user interface.

In this example, in line 12, we determine if a build should fail by the number of critical issues that RIPS finds during the code analysis. This is configured with the additional-parameters setting. The syntax of the threshold parameter is descriped in the manual of the rips-cli tool in the section rips:scan:start. As soon as the number of critical issues found exceed the threshold, our build now fails so that critical issues can not be added.

Figure 1: Example of a failed build because of too many detected security issues.

Summary

The RIPS Security Analysis action for GitHub allows integrating RIPS seamlessly into your build process for automated security scans within a few minutes. This integration enables you to uncover real security threats in your application’s source code before these are deployed to production systems.