In today's software development environment, writing secure code is more important than ever before. As the complexity of applications grows, so does the potential for security vulnerabilities. GitHub Advanced Security (GHAS) has emerged as a critical tool for developers, providing them with the means to embed security into the fabric of their code right from the start.
Shifting Left in Security with GHAS
Fixing security issues in production can be costly and time-consuming, whereas addressing them during development is far more efficient and effective. This is where the concept of 'shifting left' in security comes into play. It emphasises integrating security measures early in the software development lifecycle, allowing developers to identify and rectify vulnerabilities before they become entrenched. However, this is often easier said than done, as most developers are not experts in security and may struggle to implement these measures effectively.
GitHub Advanced Security (GHAS) bridges this gap by providing tools that are accessible to developers of all skill levels, enabling them to incorporate security into their code from the outset. GHAS offers early detection and remediation of security flaws, thus preventing them from escalating into major concerns in production.
Understanding GitHub Advanced Security
GHAS is a suite of tools designed to enhance the security of your codebase. It includes features such as code scanning, secret scanning, and dependency review. These tools work together to identify potential security vulnerabilities and provide actionable insights for remediation.
Viewing GHAS Findings in GitHub
Traditionally, GHAS findings are viewed within the GitHub platform:
While this provides a centralised location for security alerts, it requires developers to switch between GitHub and their integrated development environment (IDE), leading to context switching and potential disruptions in workflow.
The good news is that GHAS findings are available in SARIF (Static Analysis Results Interchange Format), an open standard for representing static analysis results. By leveraging the SARIF Viewer extension for Visual Studio Code, developers can view these findings directly within their IDE. This integration allows developers to address security issues without leaving their coding environment, streamlining the workflow and reducing the time taken to remediate vulnerabilities.
Having immediate access to problem details and remediation advice within the IDE is a significant advantage. It allows developers to understand the nature of the security issue and its potential impact, as well as provide guidance on how to fix it. This immediate feedback loop accelerates the remediation process and enhances the application’s overall security.
Leveraging GitHub Copilot
The integration of GHAS with Visual Studio Code also allows leveraging GitHub Copilot for learning and remediation. GitHub Copilot, an AI-powered code completion tool, can suggest code snippets to fix security issues identified by GHAS. This speeds up the remediation process and helps developers learn and apply best security practices.
In the above example, a cross-site scripting (XSS) vulnerability has been detected and the developer can access the Explain using Copilot feature. On the left GitHub Copilot Chat provides a detailed overview of XSS, and of course the conversational style interface allows the developer to ask questions until they have a complete understanding of the issue. It is in this way that a developer who is not a security expert can bridge the gap by leveraging GHAS and Copilot. What about using GitHub Copilot for fixing security vulnerabilities?
In the above example the developer has accessed the Fix using Copilot feature. This feature has suggested a new approach to avoid the XSS vulnerability. On the left in Copilot Chat, the developer was also able to understand the solution by simply highlighting the vulnerable code and asking, “How can I fix the XSS issue?”
Conclusion
Empowering developers to shift left with GitHub Advanced Security is a game-changer in software development. By integrating GHAS findings into Visual Studio Code and leveraging GitHub Copilot, developers can address security issues more efficiently, reducing the risk of vulnerabilities and ensuring a more secure application. This holistic approach not only streamlines the development process but also fosters a culture of proactive security, where developers are equipped with the tools and knowledge to build security into their code from the ground up.
Key Benefits:
Early Detection: Identify and address security vulnerabilities early in the development process.
Seamless Integration: View security alerts directly in the IDE, reducing context switching and streamlining workflow.
AI-Powered Assistance: Leverage GitHub Copilot for code suggestions and learning, speeding up the remediation process.
If you want to learn more about enhancing your development workflow with these tools, check out the following resources. We'd love to hear from you! Share your thoughts and experiences with shifting left in security in the comments below.