Security Gate

Simple and pratical security gate for Github Security Alerts

---

Summary

This is a project that allows you to use a Security Gate within Github, using Actions and your project's Security Alerts as an information base. Currently alerts from DependaBot, Code Scanning and Secret Scanning are supported.

You can define a vulnerability policy based on impact i.e. the number of vulnerabilities per threat, and automatically block your CI/CD pipeline if these policies are not met. This ensures that your application has greater protection, preventing codes that contain known threats from being deployed in production.

You can read more about the project in this blog post: A simple and practical Security Gate for GitHub Security Alerts.

---

Github Actions

You need to create a token with read access to Security Alerts and configure it within the Secrets resource of your repository, then:

In your repository, create a YAML file at: .github/workflows/security-gate.yml with this content:

name: Security Gate - LESIS

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      MAX_CRITICAL: 1
      MAX_HIGH: 2
      MAX_MEDIUM: 3
      MAX_LOW: 4
      GITHUB_TOKEN: ${{ secrets.TOKEN }}
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Pull Docker image from GitHub Container Registry
      run: docker pull ghcr.io/instriq/security-gate/security-gate:latest

    - name: Verify security alerts from dependabot
      run: |
        docker run ghcr.io/instriq/security-gate/security-gate:latest \
        -t $GITHUB_TOKEN \
        -r ${{ github.repository }} \
        --critical $MAX_CRITICAL \
        --high $MAX_HIGH \
        --medium $MAX_MEDIUM \
        --low $MAX_LOW \
        --dependency-alerts \
        --code-alerts \
        --secret-alerts 

---

If you want to use local

# Download
$ git clone https://github.com/instriq/security-gate && cd security-gate
    
# Install libs dependencies
$ cpanm --installdeps .

# Basic usage
$ perl security-gate.pl --help

Security Gate v0.1.0
Core Commands
====================
        Command                Description
        -------                -----------
        -t, --token            GitHub token
        -r, --repo             GitHub repository, organization/repository-name
        -c, --critical         Critical severity limit
        -h, --high             High severity limit
        -m, --medium           Medium severity limit
        -l, --low              Low severity limit
        --dependency-alerts    Check dependency alerts
        --secret-alerts        Check secret scanning alerts
        --code-alerts          Check code scanning alerts

---

Docker container

$ docker build -t security-gate .
$ docker run -ti --rm security-gate -t <GITHUB_TOKEN> \
  -r <organization/repository> \
  --critical 1 \
  --high 2 \
  --medium 3 \
  --low 5 \
  --dependency-alerts --code-alerts --secret-alerts 

---

Contribution

Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page and for security issues, see here the security policy. (✿ ◕‿◕)

---

License

This work is licensed under MIT License.