GitHub gets a lot of love from most developers, and the team here at Anchore are no exception.
Deemed worthy of its own top-level tab in every repo, Actions is GitHub’s newest tool for automating your software workflows with world-class CI/CD. Users get DevOps pipelines with the ability to build, test, and deploy code directly from GitHub.
Add in Anchore to this already heady cocktail, and GitHub Actions can now deliver a practical DevSecOps workflow – straight from the repo.
This ensures that, when your container is ready to deploy into any environment, it has had a rigorous security scan. You deploy the code you intend to and nothing else; your dependencies are scanned, and any potentially nasty surprises made visible.
If we already have your undivided attention at this point, feel free to jump right into our tutorial, which shows you how, with very little code, you can add robust security scanning, alerting and reporting to your existing GitHub projects.
Meanwhile, if you are interested in more of the theory and reasoning behind Anchore, keep reading on…
Why Shift Left Using GitHub
Software development is now one of the most collaborative of all human endeavors. The web page you are reading right now is almost certainly the sum total of work from thousands of individual developers. Most of these people have never met each other, but they leverage each other’s work to create the technology that now underpins almost every facet of our daily lives.
This collaboration extends widely; almost every ‘smart’ device, from your TV right through to your car makes use of software written by developers from almost every part of the globe. It is a modern-day wonder that powers a dizzying pace of innovation.
And for many developers, GitHub has become the focus of much of this collaboration. It is more than just a place to store code, it is a vast, well-connected collaboration platform. Within GitHub, developers can share, review, reuse and work together on code, regardless of background or geographic location.
However, maintaining security is challenging in this new collaborative world. It is now almost impossible to manually apply any form of effective security. So, like the Operations teams before, security now has to team up with developers: DevOps is becoming DevSecOps. And like its predecessor, DevSecOps is all about embracing automation, fast feedback loops and, of course, collaboration.
Collectively, this trend is now widely referred to as ‘shifting left’.
Ok. So… why Shift Left Using GitHub?
1. The fast feedback loop
Security has long been seen as a final, irritating inconvenience in the development process. Preventing developers from moving on to the next task. Security considerations appeared as late-stage scrutiny, putting developers through the wringer of fixing issues, only to find another bug has popped-up, after yet another manual or late security intervention.
By marrying GitHub Actions and Anchore, developers get security feedback right alongside their existing unit tests. Fix, iterate, and fix again. Once your tests are clean, it’s ready to go. Security becomes part of the same workflow developers know and love.
2. Easy to set up, easy to use
GitHub is built for collaboration, and Actions are no exception. Anchor has done all the hard work for you, meaning you just need to include our Action and a handful of code. We’ve done the rest, giving you security and peace-of-mind without you having to tear your hair out managing complexity to get there.
3. One place to look
GitHub is where developers go to work. It is a tool they interact with throughout the day, using it to store, test and collaborate on code. By making security front and center in their favorite tool, it means they have one place to look. Put the information somewhere else, and after the first rush of curiosity, it’ll gather dust, unloved and uninspected. Anchore and GitHub Actions keep the security picture front and center.
4. Comprehensive and complete
The Anchore engine is a powerful, Open Source container security scanning tool that the GitHub action makes use of. You get almost the same level of scrutiny, and peace of mind that you would get from running it on your desktop. It’s the perfect mashup of automation and power. To make Anchore engine fit with the ethos of GitHub actions we’ve chosen defaults that offer fast, concise and actionable reports based on the container contents. However, if you want a slower, but more detailed scan that includes application packages, you can enable it by using the
include-app-packages option found in the GitHub Action docs.
5. Policy as code
Because it’s the full Anchore Engine, it means you can define your security policy as code and make use of it in the Action. This is the perfect blend of a fast feedback loop for developers, based on a security practitioner’s insight. It’s like having your security team checking every element of your artifacts, 24/7, and letting the real practitioners drop the grunt work and focus on more valuable endeavors.
If this has whetted your appetite, then check out our tutorial on GitHub Actions, which will show you how to integrate some of Anchore’s open source peace-of-mind into your pipeline, with just a handful of code.