At the time for this update, DefenseCode have made ThunderScan, one of the industry reputable modern static application security testing (SAST) solutions available as GitHub Action. With this new feature update, ThunderScan SAST is now offering security vulnerability analysis across 30+ languages providing detailed vulnerability reports integrated into GitHub.
GitHub is a well known-developer collaboration platform and home to more than 50 million users, 3 million organizations, and over 100 million repos. 30-Sep-2020 GitHub announced available for its code scanning feature, a developer-first, GitHub-native approach to easily find security vulnerabilities in code and before they reach production.
Coinciding with the launch of code scanning, DefenseCode Group has released a GitHub Action for the ThunderScan SAST solution. The added support for Static Analysis Results Interchange Format (SARIF) output, uploaded automatically by the ThunderScan GitHub Action, enables developers to access any security vulnerabilities identified by the analysis directly in the GitHub code scanning UI. Code scanning scans code as it’s created and surfaces actionable security reviews within pull requests. It also prevents developers from introducing new vulnerabilities. Scans may be scheduled for specific days and times, or triggered automatically when a specific event occurs in the repository, such as a code push.
DefenseCode customers are now able to run cross-platform self-hosted runners provided by GitHub to customize the environment used to run ThunderScan Action jobs in their GitHub Actions workflows. ThunderScan SAST has a dedicated REST API client that is called upon from a GitHub Action with parameters to run the analysis against a target repository.
Self-hosted runners can be added at various levels in the management hierarchy:
● Repository-level runners are dedicated to a single repository.
● Organization-level runners can process jobs for multiple repositories in an organization.
● Enterprise-level runners can be assigned to multiple organizations in an enterprise account.
ThunderScan SAST GitHub Action will soon be accompanied by a ThunderScan SAST GitHub App, with continued enhancements to both.
E-SPIN established since 2005, being active in supply application security testing (AST) include dynamic, static, interactive, mobile, software composition analysis (SCA), to manual AST solution include infrastructure, datacenter, cloud security testing solution for enterprise customer for DevSecOps, SecOps, red team, threat vulnerability management, governance risk compliance (GRC) to regulatory compliance. Feel free to contact E-SPIN for your project or operations requirements.