Security Status Monitoring Tool

Taking repo security status monitoring a step ahead

Comment

Inspiration

Almost all the software developers (especially the entire IT industry) often struggle to keep pace with the ever-increasing scale of new software demands in today’s business environment. Hence most software developers tend to use third-party codes and those codes are combined with new code to create modern software. We can’t argue that this approach is entirely wrong since it saves the developer’s time tremendously and the developer doesn’t need to reinvent the wheel.

However, if we have to incorporate third-party codes, it's a judgment call depending on how widely used and esteemed the codes are. Even if the codes are generally well-known and highly esteemed throughout the industry, it's still third-party codes. Software developers generally place significant emphasis on the virtues of code reuse, while often glossing over the danger of dependencies. Furthermore, a project with an unproperly scanned third-party code and less monitoring for security vulnerabilities is likely to fall apart in the long run as it slowly devolves into maintenance a nightmare.

As nearly every deployed container is built on top of other community-contributed images, bottom layer vulnerabilities and bad practices, like privileged containers or unsafe ports, can compromise the whole organization's infrastructure.

Hence, to avoid those scenarios, most of the organisations that maintain code repositories (GitHub) have static code scanning enabled for both application and infrastructure as code. Here, most organizations monitor GitHub repositories and associated pipelines by visiting each repo manually (they use tools like Microsoft Excel (Online), Google Sheets etc, to monitor and update the information related to the security status of the Github repositories). But when the number of repositories is increased, it’s really hard to monitor the security status of each of the repositories by visiting each and every repo and manually, updating the current repo status in a sheet.

What it does

The aim of this project is to make the Github repository and associated build pipelines monitoring process easier and quicker using Github Actions.

How we built it

Here the main technologies used in this project are MSAL React, Azure Cosmos DB, Azure App Service, Github Actions, React JS, Material UI

What's next for Security Status Monitoring Tool

As future improvements, this web application will contain the following monitoring widgets, created using the data retrieved (dashboard page).

  • The number of builds failed due to security issues
  • Releases with security exceptions/bypasses
  • Security issues reported for each repository
  • Time taken to fix security issues
  • Listing of third party dependencies used in projects and summary of last scan results
  • Basic detections related to anomalies in code commits (no machine learning involved at this stage)

Built With

  • appservice
  • azure
  • choreo
  • cosmosdb
  • githubactions
  • materialui
  • msal
  • react
Share this project:

Updates