Pull Requests (PRs) are where unsafe code gets its last chance to be caught before it’s merged. But what if it could be verified that developers are trained to avoid those vulnerabilities in the first place?
The new SecureFlag Training GitHub Action automatically confirms that contributors have completed the relevant security training before merging their PRs.
Shift Security Training Left
SecureFlag’s GitHub Action integrates directly into the development process, allowing teams to close knowledge gaps and maintain a safer codebase.
When a PR references a vulnerability, such as XSS or command injection, developers get immediate notification with links to complete the specific training they need.
Here’s how it works:
-
Detects relevant vulnerabilities: The action scans the PR title, description, and commit messages for references to GitHub Security Advisories (GHSA) and fetches their titles.
-
Checks contributor training: It then checks SecureFlag’s platform to see if the contributor has completed the relevant training, either based on the advisories in the PR or the specific training assigned to them.
-
Blocks or approves automatically: If training hasn’t been completed, the action posts a helpful comment on the PR with direct links to the relevant training and temporarily blocks the merge. Once the training is completed, the action can be re-run, and the PR is unblocked.
Why It’s Useful
Many vulnerabilities arise when developers haven’t had the proper training to recognize potential risks. Connecting PR approvals to SecureFlag’s training platform is an effective way to get security insight while working on projects.
Organizations can:
-
Prevent vulnerable code from being merged before training is complete.
-
Provide developers with just-in-time learning that’s relevant to the code they’re writing.
-
Create a stronger culture of security awareness.
Simple to Set Up
The SecureFlag Training GitHub Action is quick to configure and integrates seamlessly into existing workflows.
-
Add it to your repository: Include the action in your GitHub workflow so that every new PR is checked.
-
Connect it to SecureFlag: Provide a few credentials so the action can confirm whether contributors have completed the relevant training.
-
Make it a requirement: Use GitHub’s branch protection settings to block merges until the training check passes.
SecureFlag Brings Training Directly Into Development
SecureFlag delivers secure coding training and integrates it into the software your teams already use. The Training GitHub Action is part of a broader SecureFlag platform designed to provide continuous, hands-on learning.
From the first line of code to deployment, security becomes part of how your team codes, not an interruption to it.
