πŸš€ Automating Security in Software Development

How We Built bearerbot to Ensure SAST at Scale

Β· 1019 words Β· 5 minute read

1. Introduction πŸ”—

Security is a non-negotiable aspect of modern software development. As applications grow in complexity, so do the threats they face. In fact, the estimated value of cybercrime-related losses are projected to increase from ~ $8 trillion in 2023 to ~ $14 trillion worldwide in 2028. On average, an attack is launched every 3 seconds, counting 26,000 attacks on a daily basis [1].

To mitigate these risks, two core security testing approaches exist: Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

  • SAST is applied at development time, analyzing source code to catch vulnerabilities before they reach production.
  • DAST is conducted at runtime, testing the application like an external attacker would.

While both techniques are crucial, our focus in this article is on automating SAST enforcement across all new repositories within ufirst. We’ll explore the challenges of ensuring SAST adoption and introduce our solution: bearerbot, an internal GitHub App designed to automatically enable security checks on new repositories.

2. The Problem: Automating SAST on New Repositories πŸ”—

Security measures are only effective if they are consistently applied. However, in a growing engineering organization, ensuring that every new repository is secured presents challenges:

  • Lack of awareness: Developers may overlook setting up SAST.
  • Inconsistent enforcement: Not all repositories may support the same security tooling.
  • Scalability issues: Manually enabling SAST on every new repository is not feasible.

To address these challenges, we sought an automated solution that integrates seamlessly into our development workflow.

3. Choosing the Right SAST Tool: Bearer πŸ”—

In our quest for an effective SAST solution, we evaluated several tools and selected Bearer for its unique capabilities.

What is Bearer? πŸ”—

Bearer [2] is a Static Application Security Testing (SAST) tool designed to scan source code and analyze data flows to identify, filter, and prioritize security and privacy risks. It offers:

  • Comprehensive Security Coverage: Built-in rules addressing common vulnerabilities, including the OWASP Top 10 and CWE Top 25 [3, 4], such as access control issues, cryptographic failures, and injections.
  • Privacy Risk Detection: Ability to detect sensitive data flows, such as Personally Identifiable Information (PII) and Protected Health Information (PHI), aiding in compliance efforts.
  • Developer-Friendly Integration: Easy integration into CI/CD pipelines, providing clear and actionable reports that focus on both security and development aspects.

Why Bearer? πŸ”—

Our decision to adopt Bearer was influenced by several factors:

  • Open Source Availability: Bearer offers a free, open-source solution (Bearer CLI) [5], aligning with our commitment to open-source tools.
  • Performance Efficiency: Benchmarks indicate that Bearer operates efficiently, making it suitable for seamless integration into our CI/CD workflows.
  • Focus on Privacy: Bearer’s emphasis on privacy risks complements our dedication to protecting user data.

4. Enter bearerbot: Automating SAST with Bearer πŸ”—

To ensure the consistent application of SAST across all new repositories, we developed bearerbot, an internal GitHub App designed to automate the integration of Bearer into our development process.

It ensures that no repository goes unnoticed by:

  1. Detecting the repository’s language using multiple strategies.
  2. Determining if SAST should be enabled (Python/Golang supported via Bearer CLI).
  3. Creating and pushing security automation files (GitHub Actions + SAST scripts).
  4. Opening a Pull Request to apply the changes.
  5. Notifying developers via Slack.

5. How bearerbot Determines Repository Language πŸ”—

To decide if SAST is applicable, bearerbot needs to detect the repository’s programming language. Since repositories are often created empty or with incomplete structures, we use a multi-step detection approach:

  1. Custom repository property: If a repository includes the sast-security-checks-template custom property in its settings, we use it.
  2. GitHub API Language Detection: If available, we rely on GitHub’s classification available via API [6].
  3. .gitignore analysis: Certain .gitignore patterns hint at the primary language.
  4. README.md inspection: If present, README files may indicate the tech stack.
  5. Source file scanning: As a last resort, we scan files such as:
    • .go, go.mod β†’ Golang
    • .py, requirements.txt β†’ Python

If no language is detected, bearerbot sends a Slack notification to a dedicated channel, prompting manual intervention.

6. The Automated SAST Workflow πŸ”—

If the detected language supports SAST (Python or Golang), bearerbot takes the following actions:

βœ… Generates required security files

  • A GitHub Actions workflow that triggers SAST for each PR to the main branch.
  • A script to run Bearer CLI and generate security reports.

βœ… Pushes changes to a new branch

  • The branch is named following a standard format, e.g., add-sast-security.

βœ… Opens a Pull Request

  • The PR proposes adding SAST automation.
  • It is assigned to a predetermined security team.

βœ… Sends Slack notifications

  • Success: Notification in #security-alerts confirming SAST activation.
  • Failure: Alerts the team for manual resolution.

7. Architecture & Implementation πŸ”—

Where does bearerbot run? πŸ”—

  • The bot is implemented as a Python-based serverless function hosted on Google Cloud Functions.
  • GitHub webhooks notify bearerbot of repository creation events.
  • A secure API communicates with GitHub and Slack, ensuring automated enforcement and real-time notifications.

Why the use of a GitHub App? πŸ”—

  • Organization-wide visibility: No need to configure each repository individually.
  • Granular permissions: Fine-tuned control over what actions the bot can perform.
  • Scalability: Works across all repositories without manual intervention.

8. Handling Edge Cases & Failures πŸ”—

What happens if something goes wrong? bearerbot is designed to handle common failure scenarios:

❌ Unable to detect language β†’ Sends a Slack notification for manual review.
❌ Failed to create PR β†’ Logs the failure and alerts the security team.

9. Impact & Lessons Learned πŸ”—

πŸš€ Security by Default β†’ New repositories are secured without developer intervention.
πŸ”„ Developer-Friendly Approach β†’ Automating PR creation ensures transparency and flexibility.
πŸ“Š Better Security Visibility β†’ We can track security adoption across all projects.

10. Conclusion & Future Plans πŸ”—

With bearerbot, we’ve successfully automated SAST enforcement across new repositories in ufirst. This initiative strengthens our security posture by ensuring that security best practices are applied consistently from day one.

What’s next?

  • Expanding bearerbot to support LLM-based SAST approaches for languages not currently covered.
  • Continuous monitoring to further refine automation and improve developer experience.

Interested in implementing something similar? Reach out to our team β€” we’d love to discuss security automation strategies! πŸ”’βœ¨

References πŸ”—

  1. LSAST: Enhancing Cybersecurity through LLM-supported Static Application Security Testing
  2. Bearer
  3. OWASP Top 10
  4. CWE Top 25
  5. Bearer CLI
  6. GitHub API
security sast dast