1. GitHub integrated Murphysec effect
Integrating the MurphySec code security detection tool into GitHub Action can detect security vulnerabilities in real time for each code update and quickly fix these security vulnerabilities.
Integrated renderings
2. Operation steps
Tip: If you have used GitHub Actions, please follow step 3 directly to start
1. If it is not enabled, please click Actions to enable GitHub Actions
As shown in the figure below: the project has enabled Actions
2. Enter the project page to configure Action permissions
Click settings-->Actions-->General-->
Check Read and write permissions, check Allow GitHub Actions to create and approve pull requests at the bottom
3. Log in to murphysec official website to get token
Settings-->Access Token-->Click the Copy button
4. Add MURPHYSEC_TOKEN
-
Click warehouse settings-->Secrets and variables-->Actons-->New repository secret
-
Create variable name: MURPHYSEC_TOKEN
secrets: token copied from murphysec official website
5. Create GitHub Actions
-
Click on the project Actions-->New workflows
-
点击 set up a workflow yourself
-
Add CI code and submit
-
GitHub Actions code: branches: the corresponding branch, you need to modify the name of the branch that needs to be detected
name: "MurphySec code scan"
on:
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout_Actions
uses: actions/checkout@v3
- name: Install MurphySec code scan cli
run: |
wget -q https://s.murphysec.com/release/install.sh -O - | /bin/bash
- name: Code scan
run: murphysec scan . --token ${
{ secrets.MURPHYSEC_TOKEN }} --json >scan_results.json
- name: Format data
run: |
wget https://s.murphysec.com/github_actions_format.py
python3 github_actions_format.py
- name: Check if file exists
run: |
if [ -f "results.sarif" ]; then
echo "file_exists=true" >> $GITHUB_ENV
else
echo "file_exists=false" >> $GITHUB_ENV
fi
- name: Upload SARIF file
if: env.file_exists == 'true'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif3. View code detection results
-
Enter the project page -->Security-->Code scanning, the current page shows an overview of the vulnerabilities of all risk components
-
Click the title of the vulnerability you want to view to enter the detailed information page, click Show more to view the detailed information
The detailed information includes the number of the vulnerability, disposal suggestions, introduction path and repair plan
Click the link below the project detection report to jump to the official website of murphysec to view more detailed vulnerability information
About Murphy Security
Murphy Security is a technology company that provides professional software supply chain security management. Product capabilities revolve around SBOM to provide security management for the entire software life cycle, from supply chain asset identification management, risk detection, security control, one-key repair, etc., to provide complete development process security management and control capabilities. At the same time, it can integrate with various tools in the existing development process at a very low cost, including seamless integration of dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Its security research team, Murphy Security Lab, focuses on technical research in the field of software supply chain security. The directions of concern include: open source software security, program analysis, threat intelligence analysis, enterprise security governance, etc. The company's core team comes from companies such as Baidu and Huawei, and has more than ten years of experience in enterprise security construction, security product development, and security attack and defense.
Learn about Murphy at: https://www.murphysec.com/?sf=qbyj
Five major product support solutions landed
1. Sumac-software component analysis
Sumu has an industry-leading vulnerability knowledge base, which supports quick access to each development process within 10 minutes, clearly displays the security risks of code projects, and supports IDE plug-ins, GitHub, etc. to quickly complete vulnerability repairs and easily manage open source risks
2. Jingmo-Yuan security management gateway
Jingmo blocks security risks from the source, and shifts security capabilities to the front, so that code security testing can be used in the entire process of DevSecOps from development to testing. It can seamlessly connect with Nexus and Jfrog, and supports black and white list configuration management, card position management and product inspection, reducing the cost and risk of enterprises
3. Red Arrow - License Compliance Management
Red Arrow will automatically identify open source component agreements to reduce the risk of license infringement. At present, it has covered 3000+ license types, enabling accurate identification and rapid management of compliance risks
4. Guanzhong-asset management and vulnerability warning
Guanzhong covers more than 60,000+ mainstream components, full coverage of self-developed, commercial, open source and other assets, and is associated with 0day vulnerability & poisoning warning in real time. The vulnerability warning has reached the minute level, and it can calmly deal with security risks
5. Nanxing - static code scanning
High-accuracy vulnerability detection capability, extremely fast detection speed and efficiency, full coverage of common security vulnerabilities, and update of expert customized strategies
Learn about Murphy at: https://www.murphysec.com/?sf=qbyj