Running a Scan as Part of GitHub CI Pipeline

Speaker 1: Welcome to Neural Legion. In this video, you’ll learn how to integrate the GitHub actions into your CI pipeline to trigger a neural agent scan on every new commit automatically. Nora Legion provides several actions on the GitHub marketplace. The actions allow you to run a scan, wait until a security issue is detected and stop the scan without leaving your development environment. You can configure it yaml file with the available actions and add the file to your pipeline. Once you make a commit to your GitHub actions pipeline, a scan will be initiated automatically. You can also integrate the scan results into the code scanning alerts. This will significantly facilitate the management of detected issues. In this video you’ll see how the integration works based on a pre configured demo pipeline. Let’s start from a quick overview of YAML file where we’ve already set the actions in a workflow. We’re using two actions which are configured as steps. The first step runs a scan with a name, an API token and a target hostname. In this example, we rerun a previous scan by its ID, The scan ID as well as the API token is taken from the Neural Legion app. These are the basic inputs needed for scan configuration. For a full list of available inputs and expected outputs. Check out a specific action on the GitHub marketplace. Then we proceed to polling the scan status until it returns a detected issue. The wait for action allows you to follow the fail fast approach by interrupting the build with the first issue found. Moreover, you can set the severity of the first issue to wait for. In our example, it’s set to any meaning that the build will stop automatically once a low, medium or high severity issue is found. You’ll also be able to manage the polling duration by specifying the time out in seconds. The scan will stop upon the timeout expiration if no issue is detected so far. The GitHub token is a required input for the polling action. We set the code scanning alerts to true in order to open the detected issue as a code scanning alert that can be viewed and managed in the security tab for the target of the scan. After you configure a similar file and add it to your pipeline, it’ll trigger a scan on every commit made to that pipeline. Let’s, for example, change the read Me file in our demo pipeline and push a commit to demonstrate how it works. All right. We’ve just pushed the commit. And now let’s open the actions tab to check the recent run from our workflow. There we go. The run was initiated successfully and we can track the scan flow. We’ve got an error on the wait for breakpoint step. The error indicates that some issues were found. Here we can also see that the Seraph results were uploaded to GitHub so we can open the security tab to check the detected issue. If the issue is recurring, you’ll be able to view the whole discovery history of it. Now you can integrate the demonstrated actions into your pipeline and enhance the security of your product with every commit. Thanks for watching and happy automated scanning from all of us at Neural Legion.