Improve code security
Vincent Emonet
Data Science engineer at IDSSecuring softwares is a complex task, especially for research softwares.
But some easy actions can be taken to quickly improve your code security.
#
Update dependenciesEasy to enable
You can easily enable this feature in your GitHub repository Security tab.
GitHub proposes a tool, the Dependabot, to spot and warn you about deprecated dependencies that needs to be upgraded to fix known vulnerabilities.
Dependabot example
Check the DSRI documentation GitHub Dependabot alerts.
Update dependencies automatically
You can enable Dependabot to automatically update problematic dependencies
Integrates with git
Dependabot warning will be displayed when doing git push
:
#
CodeQL analysisEasy to enable
You can easily enable this feature in your GitHub repository Security tab. This will create a GitHub Actions workflow that will run the CodeQL analysis.
Tool from GitHub to spot dangerous coding practices, e.g. hardcoded credentials, known JavaScript vulnerability.
Runs in a GitHub Actions workflow.
CodeQL analysis example
Check the OpenPredict API CodeQL Analysis workflow
#
Test coverage and additional analysisEnable for larger project
Setting this up requires a bit more time, it is recommended for larger projects where you define tests.
SonarCloud is quite nice for test coverage, and various relevant reports on your code quality (spot security issues, code blocks that could be improved)
SonarCloud report example
Check the OpenPredict API SonarCloud report
#
Container scanExplore
It can be interesting to use it for project with an emphasis on security.
- Free Open Source tool
Too many irrelevant issues with some Docker container analysis tools like Anchore Container scan.
Anchore container scan example
Check the OpenPredict API Anchore docker scan workflow.
- Commercial tool
Better quality Docker image analysis with Snyk, but require to pay for extensive automated usage.
note
Docker enable to do a limited number of Snyk vulnerability scan.
See the Docker and Snyk documentation for more details
#
Improve password securityA few small steps can also be taken to improve your password security:
- Use a secure password manager, such as BitWarden, to store your passwords.
- Use 2 factor authentication with a secure app, such as Authy or the Google Authenticator, when the website allows it. For example, on BitWarden and GitHub
- To login to GitHub to push code, we recommend to:
- Use SSH keys if possible
- Or generate new API tokens to be used in place of your password when pushing to git (to avoid unsecure practices when storing the password with git). Go to your settings to create Personal Access Tokens.