Contrast Security, the leader in next-gen code security, today announced its partnership with GitHub and the availability of its suite of GitHub Actions, simplifying the process for developers to ensure the code they build is free of security vulnerabilities. By partnering with the world’s largest developer community, Contrast has made automating security testing within native pipelines far more accessible. Contrast’s home-grown GitHub Actions enable developers to embed security testing across multiple phases of the development lifecycle. We are kicking off this partnership with our new, four-part blog series detailing how Contrast’s new Actions can help automate secure coding with each commit, pull request and deployment.
For part one, we’ll take a deeper look into our new GitHub Action for Contrast Scan, Contrast’s static code analyzer solution, with parts two through four diving into how to automate secure code delivery in distributed cloud environments - specifically Amazon’s Elastic Kubernetes Service (EKS) and Microsoft’s Azure Kubernetes Service (AKS), and Azure Spring Cloud.
One of the biggest blockers preventing wider developer adoption of security tools is the stigma of manually scanning, waiting for results, and then sifting through false positives. Contrast has curated our solutions to enable developers to get secure code moving through their native pipelines by embedding within the tools they already use. The GitHub Action for Contrast Scan allows developers to test their project within their existing GitHub CI/CD environment with no need to switch screens between GitHub and the Contrast UI. Developers can trigger automated security checks with each commit or pull request and receive results directly within their GitHub project. AppSec Managers who are struggling to foster adoption within their development teams can now have the assurance that security is being embedded within their native CI workflows. No need to customize rules and make the hard choice between speed or accuracy.
Shifting code analysis left within the development process is only as good as the engine behind the results. Thankfully Contrast Scan is purpose-built to be pipeline native. Instead of taking a waterfall approach and scanning monolithic applications, Contrast Scan is engineered to operate within modern pipelines so that developers can make secure code analysis as routine as checking a build or submitting a pull request. Scans can be initiated through a command-line (CLI) option, build automation (e.g., Maven, Gradle), through a simple API call, and now GitHub Actions.
We can wax poetic about secure code automation all day long, but let’s see Contrast’s GitHub Actions for code analysis in, well…action!
In the meantime, feel free to check out Contrast DecSec, our online developer community, for some in-depth How-To guides about how you can implement Contrast into your GitHub CI/CD workflows.