Scanning for Maven Security Vulnerabilities using Github Actions
In this lesson, I’m going to setup how to scan for security vulnerabilities in Maven packages. They will happen on every push to all branches using Github Actions. I will be leveraging this library.
The assumption is you have a Maven project setup and some basic understanding of Maven. First step is to build your JAR:
mvn clean package
You package should build without any issues. Next, you can try the security check:
This check may or may not return issues.
You should have access to Github Actions (as of writing its in private beta). You will need to create a new workflow file. You can run this command from your project’s root directory:
mkdir -p .github/workflows/ touch .github/workflows/all_branches.yml
The contents should start as this:
name: AllBranchesCI on: push: branches: - '*' jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 - name: Run Security Checks run: echo "Hello World"
Commit that to your master branch. You may have to commit another file to run it. Verify it runs as expected.
Your Github Actions pipeline is as expected.
Running Security Check On Local
We will be running the security check with the output going into the file. We will grep the file for is vulnerable to . If it’s true, then we will exit. This can all be done locally.
Create a folder called scripts and a subfolder called pipeline
mkdir -p scripts/pipeline/
Create an initial file.
The contents will be as follows:
# Create brand new security_checks_log file. rm -rf security_checks_log.txt touch security_checks_log.txt # Run security check mvn com.redhat.victims.maven:security-versions:check >> security_checks_log.txt # Check for security vulnerability if grep -q "is vulnerable to" security_checks_log.txt then echo "Yes, security vulnerabilities found." exit 1 fi # Display security_logs cat security_checks_log.txt # Delete security check log file rm security_checks_log.txt
You can run it with:
Next step is to update the workflow to run it.
name: AllBranchesCI on: push: branches: - '*' jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 - name: Run Security Checks run: bash scripts/pipeline/security_checks.sh
I’m going to add a security vulnerability on purpose. Don’t forget to remove it. Add this to your pom.xml:
<dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.0.5</version> </dependency>
I removed the cat security_checks_log.txt temporarily. I ran the script locally.
Since it does detect it, we need to confirm the workflow fails. This avoids shipping an insecure JAR. Push to your remote branch.
Don’t forget to remove the insecure dependency.
And that’s it! You’re all setup to catch security vulnerabilities in your Maven dependencies. This is a simple helpful layer to avoid known issues. I have lots more lessons on Github Actions, check them out! Thanks for reading!