SCA in the Secure Development Lifecycle

Why should organizations shift security testing left?

Shift left is a development principle that implies that code quality and security should move from the right or at the very end of the software development life cycle (after code is deployed to runtime environments) to the left – in developer workstations and IDEs, in Continuous Integration (CI) pipelines, etc. By addressing third-party dependency vulnerabilities early in your software development lifecycle, you can prevent costly and time-consuming security breaches before they reach your production environment.

Empowering development teams to prevent SCA incidents will guarantee your applications are safe and reliable and help reduce your security team's burden.

Detect vulnerable dependencies in CI pipelines

Adding automated scanning jobs in CI environments to test supporting branches such as feature, release, and hotfix before merging into the main one is an excellent approach to prevent new SCA incidents from occurring. It helps you keep your applications reliable and safe. Moreover, automating security testing in the CI pipelines is a great strategy to quickly raise the awareness of both developer and DevOps engineering teams around the incidents.

Here are a few guidelines to set SCA scanning into your CI pipelines:

Create a service account for the GitGuardian API
Set up CI/CD Integrations with ggshield
1. Jenkins CI
2. GitHub Actions
3. GitLab CI/CD
4. Azure pipelines
5. Bitbucket pipelines
6. Circle CI
7. Drone CI
8. Travis CI
9. Scan Docker images after the build job

Detect vulnerable dependencies on dev machines

SCA scanning can be integrated very early on in the development process. GitGuardian empowers developers with ggshield (our command-line interface application) to scan their commits for dependencies before pushing them.

The cost of fixing dependency issues is much cheaper at this stage than once they have reached the central/shared repository, hence the importance of shifting security left and providing developers with early and frequent feedback.

ggshield can be integrated into git hooks to scan code automatically before committing staged changes (pre-commit hook) or pushing code to the shared repository (pre-push hook). Here are some guidelines to get started with ggshield: