GitHub Integration
GitHub integration with FlyingDuck allows you to display an inventory of repositories within the organization and identify misconfigurations. It also lists out inventory of libraries, identify associated vulnerabilities, and detect hard-coded sensitive information in the code for each commit that is performed. Additionally, you can perform Static Application Security Testing (SAST), which scans for security vulnerabilities in the source code.
To integrate GitHub and receive insights at each commit level, follow these steps:
Install App
On the Integrations page, click on GitHub to start integration.
In the Install App section, enter your GitHub organization name in the input field and click the Proceed to Install button.
You will now be redirected to the GitHub app installation page as shown below. Now we need to configure the app. To do that click on Configure button.
Choose the GitHub organization to which you want to install the app and receive insights.
Select the repositories to be configured based on your requirements. If you would like to do the scans on all the repositories select the All repositories option or else select the needed ones and click on Install. The All repositories option is recommended for robust security. Read-only permissions are requested for the repositories.
You will be redirected back to the FlyingDuck portal to check the status of your installation. If successful, proceed to the next step. If not, contact our support team.
Active Branches
In the Active Branches section, specify the branches most frequently used in your environment. This ensures that code is scanned for vulnerabilities in early development environments, allowing issues to be identified and resolved before reaching production, where fixes can be more costly.
Click on Save and the branches are saved.
API Key
API Key is used to authenticate your GitHub with FlyingDuck and send data to be shown in the portal. If you already have an API key available, you can click on Skip. Otherwise, you can create a new key by assigning a name to it and then clicking on Generate API key. Please note that within an organization, only two API Keys can be created. If you wish to create more, you will need to deactivate the previous ones.
Store the key confidentially as it will only be shown once. Click Next to proceed.
Code Scan
Code scan can be performed in two ways in FlyingDuck.
- Workflows
- On-premise runner
GitHub workflow
GitHub workflows automate tasks by running one or more jobs. To configure GitHub workflows follow the below steps.
Select the GitHub Workflow option to configure the DuckDefender agent by adding the YAML file, which can be downloaded from the FlyingDuck portal or copied from the code snippet below.
env:
docker_tag: flyingduckio/duckdefender:latest
# This is a basic workflow to help you get started with GitHub Actions
name: DuckDefender
# Triggers the workflow on push events but only for the all the critical branches
on:
push:
branches: [ "master", "main", "release", "develop" ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
build:
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- uses: actions/checkout@v3
# Download image from docker hub
- name: Download latest DuckDefender
run: docker pull "${{env.docker_tag}}"
- name: Run DuckDefender
run: |
docker run -e GITHUB_REPOSITORY_OWNER="${{github.repository_owner}}"
-e GITHUB_REPOSITORY_OWNER_ID="${{github.repository_owner_id}}"
-e GITHUB_REPOSITORY="${{github.repository}}"
-e GITHUB_REPOSITORY_ID="${{github.repository_id}}"
-e GITHUB_EVENT_NAME="${{github.event_name}}"
-e GITHUB_ACTOR="${{github.actor}}"
-e GITHUB_ACTOR_ID="${{github.actor_id}}"
-e FD_API_KEY="${{secrets.FD_API_KEY}}"
-e GITHUB_TOKEN="${{github.token}}"
-e GITHUB_HEAD_REF="${{github.head_ref}}"
-e GITHUB_BASE_REF="${{github.base_ref}}"
-e GITHUB_REF="${{github.ref}}"
-e GITHUB_SHA="${{github.sha}}"
-e WORKSPACE_PATH="/src"
-v "${{ github.workspace }}":/src "${{env.docker_tag}}"Here, replace the "branches" value with the names of the branches commonly utilized for development within your environment. These are the branches for which you wish to conduct code scan.
Create .github/workflows directory, Add the duckdefender.yml file in this directory as .github/workflows/DuckDefender.yaml
Add API Key to the Repository
Before committing any changes, there is an additional step to take, which involves adding the API key to the repository.
Navigate to the GitHub repository (GitHub → GitHub Organization → GitHub Repository) and click on Settings of the repository.
In the left navigation page under Security, click on Secrets and variables then click on Actions.
Click on New repository secret.
Enter the secret name as FD_API_KEY and paste the created API key in the Secret box. This ensures that the authentication from GitHub to FlyingDuck is established for the repository. This step must be completed for all repositories selected for scanning.
After adding the YAML file and configuring the API key, commit the changes. Depending on the branch you've committed to, if it's included in the YAML file, a code scan will be conducted and the data will be sent to the FlyingDuck portal for viewing.
repeat the same procedure to the other repositories
Custom Branch
If you wish to commit changes to a custom branch like feature/* or bug/* and review the findings specific to that branch, include the branch name in the duckdefender.yml file.
# Triggers the workflow on push events but only for the all the critical branches
on:
push:
branches: [ "master", "main", "release", "develop" , "feature/*" , "bug/*" ]Troubleshoot
The debug option is used to understand what is happening within a particular command. If you need to troubleshoot, include this command LOG_LEVEL="debug" in the file.
env:
docker_tag: flyingduckio/duckdefender:latest
# This is a basic workflow to help you get started with GitHub Actions
name: DuckDefender
# Triggers the workflow on push events but only for the all the critical branches
on:
push:
branches: [ "master", "main", "release", "develop" ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
build:
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- uses: actions/checkout@v3
# Download image from docker hub
- name: Download latest DuckDefender
run: docker pull "${{env.docker_tag}}"
- name: Run DuckDefender
run: |
docker run -e GITHUB_REPOSITORY_OWNER="${{github.repository_owner}}"
-e GITHUB_REPOSITORY_OWNER_ID="${{github.repository_owner_id}}"
-e GITHUB_REPOSITORY="${{github.repository}}"
-e GITHUB_REPOSITORY_ID="${{github.repository_id}}"
-e GITHUB_EVENT_NAME="${{github.event_name}}"
-e GITHUB_ACTOR="${{github.actor}}"
-e GITHUB_ACTOR_ID="${{github.actor_id}}"
-e FD_API_KEY="${{secrets.FD_API_KEY}}"
-e GITHUB_TOKEN="${{github.token}}"
-e GITHUB_HEAD_REF="${{github.head_ref}}"
-e GITHUB_BASE_REF="${{github.base_ref}}"
-e GITHUB_REF="${{github.ref}}"
-e GITHUB_SHA="${{github.sha}}"
-e WORKSPACE_PATH="/src"
-e LOG_LEVEL="debug"
-v "${{ github.workspace }}":/src "${{env.docker_tag}}"Comparison with On-Premise runner
GitHub workflows run based on the allocated minutes. Once these minutes are consumed, workflows will stop, and code scans cannot be performed.
Additionally, workflows are triggered only when a commit is made. On-demand code scans are not possible.
Workflows operate on the branches listed in the duckdefender.yml file. New branches and pushed code to these new branches will not be scanned unless the duckdefender.yml file is updated each time. To address the above limitation, we have introduced another feature called the On-Premise runner.
On-premise Runner
Refer this for
On-premise Runner