/oct 5, 2020

Veracode Makes DevSecOps a Seamless Experience With GitHub Code Scanning

By Meaghan Mcbee

Developers face a bevy of roadblocks in their race to meet tight deadlines, which means they often pull from risky open source libraries and prioritize security flaws on the fly. In a recent ESG survey report, Modern Application Development Security, we saw that 54% of organizations push vulnerable code just to meet critical deadlines, and while they plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of your application deployments, that means the health of your code – and your security – is on the line.

GitHub Actions are an intuitive way to solve the need for speed without sacrificing quality, helping your developers stay on schedule by enabling them to build, test, and deploy code directly from GitHub. And with over 50 million developers on GitHub, plus more than 200,000 automated fixes merged into GitHub repositories since May of 2019, it’s clear that GitHub is a hotspot for developers. When paired with the right application security (AppSec) scan types and SaaS-based approaches, this integration makes GitHub Actions an invaluable part of your development team’s workflow.

That’s why we’re excited to announce our new GitHub Action to help streamline your AppSec workflow for the developers on your team. The action is directly embedded within the native GitHub code scanning user interface, ensuring your DevSecOps practices are seamless, efficient, and effective. By making Veracode’s AppSec tools accessible in a familiar interface like GitHub, developers on your team can jump right into secure coding with critical testing and analysis that won’t halt projects or slow production down.

The Veracode solution to enhanced workflows

Developers can perform Veracode’s Static Policy Scan or Pipeline Scan and see the results of that scan within the GitHub Security tab. The ability to invoke Veracode’s Static Analysis (SAST) scans from within their own GitHub projects significantly expands the testing capability for developers leveraging GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team.

That’s less downtime and fewer bottlenecks for faster innovation. With such a high frequency of commits flowing through GitHub (more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019), Veracode’s multi-scan and SaaS-based solutions mean that our customers have a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.  

This functionality comes as part of GitHub code scanning launch, with our GitHub Action available in the GitHub Marketplace. “Veracode is a leader in application security and truly understands the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale,” says John Leon, VP of Business Development at GitHub. “With software development moving at breakneck speed, this new GitHub Action further enables our joint customers to develop secure software, without compromising speed or quality – all within a familiar interface.”

My Code, Our Code, Production Code

Veracode’s Static Analysis solution was a natural addition to GitHub’s new code scanning feature as it enables DevSecOps with fast, automated, and actionable security feedback. This feedback is delivered directly to developers in their pipeline through each critical My Code, Our Code, and Production Code stage.

Working within the GitHub environment, your developers have the control they need. Scan results are converted into GitHub code scanning alerts and developers receive clear remediation advice to keep their projects moving forward with fewer delays. Once code is at the deployment stage, the Veracode Policy Scan provides a robust assessment of your application code – and an audit trail for compliance to prove security efforts.

Veracode scan results (from more than 15 trillion lines of code to date) are highly accurate as a result of the intelligence of our SaaS platform, meaning there’s no need for manual tuning when you need to adjust course. Ready to scale your DevSecOps initiatives for efficiency? Visit the GitHub Marketplace to get started. 

Related Posts

By Meaghan Mcbee

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.