Pull Requests (PRs) are where unsafe code gets its last chance to be caught before it’s merged. But what if you could verify that developers have completed their assignments and training before those vulnerabilities ever make it to review?
SecureFlag now offers GitHub Actions that help ensure secure development practices directly in your PR workflow.
Verify Assignment Completion
SecureFlag Assignments Check GitHub Action verifies that developers have completed their required SecureFlag assignments before code is merged.
When a PR is submitted or updated:
-
The action gets the committer’s email from the PR.
-
It queries SecureFlag’s platform to verify whether the contributor has completed the required assignments based on the specified check type.
-
If the assignments aren’t complete, a PR comment is created, and the merge is temporarily blocked. However, once they are completed, the action can be re-run to unblock the PR.
Shift Security Training Left
SecureFlag’s Training GitHub Action integrates directly into the development process, allowing teams to close knowledge gaps and maintain a safer codebase.
When a PR references a vulnerability, such as XSS or command injection, developers get immediate notification with links to complete the specific training they need.
Here’s how it works:
-
Detects relevant vulnerabilities: The action scans the PR title, description, and commit messages for references to GitHub Security Advisories (GHSA) and fetches their titles.
-
Checks contributor training: It then checks SecureFlag’s platform to see if the contributor has completed the relevant training, either based on the advisories in the PR or the specific training assigned to them.
-
Blocks or approves automatically: If training hasn’t been completed, the action posts a helpful comment on the PR with direct links to the relevant training and temporarily blocks the merge. Once the training is completed, the action can be re-run, and the PR is unblocked.
Augment SARIF Files with Relevant Learning
SecureFlag Knowledge Base for GitHub Actions SARIF enriches SARIF files (for example, from CodeQL or GitHub Code Scanning uploads) with links to relevant SecureFlag labs.
This makes it straightforward for developers to get practical guidance directly related to the issues detected in automated scans.
Why It’s Useful
Many vulnerabilities arise when developers haven’t had the proper training to recognize potential risks. Connecting PR approvals and SARIF results to SecureFlag is an effective way to:
-
Prevent vulnerable code from being merged before assignments or training are complete.
-
Provide developers with just-in-time learning that’s directly relevant to the code and issues they are working on.
-
Strengthen organizational security knowledge across the software development lifecycle.
Simple to Set Up
All SecureFlag GitHub Actions integrate seamlessly into existing workflows:
-
Add the action to your repository: Include the desired action(s) in your GitHub workflow so PRs are automatically checked.
-
Connect to SecureFlag: Provide credentials and API tokens so the action can confirm training or assignment completion.
-
Set branch protection rules: Block merges until checks pass to enforce compliance.
SecureFlag Brings Learning Directly Into Development
SecureFlag delivers secure coding training and integrates it into the software your teams already use. These GitHub Actions are part of a broader platform created to provide continuous, hands-on learning.
From the first line of code to deployment, security becomes part of how your team codes, not an interruption to it.
