CI Security

A lot of security checks can be run automatically through CI runners via GitHub actions. Having these checks run automatically helps reduce the risk of missing important checks, help secure the dependencies in our software supply chain, and brings us closer in line with ISO 27001 A.14: System Acquisition, Development & Maintenance.

Setup

Add a new security-checks.yml workflow to your .github/workflows folder:

name: 'Security Checks'
on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read

jobs:

We will be adding jobs to this as we go.

Dependency audits

Auditing dependencies automatically increases visibility of package vulnerabilities, prompting investigation and resolution.

Benefits

Patching security vulnerabilities is paramount to prevent exploits surfacing in any codebase. Especially in legacy codebases, we have a duty to ensure that old systems don’t become vulnerable, especially if collocated with newer systems. Vulnerable systems can form an unexpected attack vector and compromise more than just the affected project (even the entire server).

Upgrading packages not only fixes security vulnerabilities, but fixes bugs and improves performance.

Auditing Existing Dependencies

Add the following job to .github/workflows/security-checks.yml.

jobs:
  npm-dependency-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Set up Bun
        uses: oven-sh/setup-bun@v2
      - name: Install dependencies
        run: bun install
      - name: Scan for vulnerabilities
        run: bun audit
  composer-dependency-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Set up Composer
        uses: php-actions/composer@v6
      - name: Install dependencies
        run: composer install
      - name: Scan for vulnerabilities
        run: composer audit

Auditing New Dependencies

The dependency review action (provided by GitHub) scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.

Add the following job to .github/workflows/security-checks.yml.

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v6
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v4

Static Code Analysis (SAST)

TODO

Configuring PHPStan

# PHPStan analysis
./vendor/bin/phpstan analyse

Configuring Psalm

Only using taint analysis feature, the rest is handled by PHPStan.

See documentation here.

# Psalm taint analysis
./vendor/bin/psalm --taint-analysis

Configuring Laravel Insights

Code quality analysis - see here.

# Laravel Insights
php artisan insights

What to do About False Positives

TODO

Secret Scanning with TruffleHog

We should never put secrets or sensitive data into version control. Sometimes accidents happen, from hardcoded tokens to misconfigured .gitignore - which is why we use Trufflehog to detect any leaked credentials via CI.

Implementation

Add the following job to .github/workflows/security-checks.yml.

jobs:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v6
      with:
        fetch-depth: 0
    - name: TruffleHog Secret Scan
      uses: trufflesecurity/trufflehog@v3.92.4
      with:
        extra_args: --results=verified,unknown

What to do if Credentials are Leaked to Version Control

TODO: how to wipe git log + rotate tokens

Automated Testing

TODO

Automated Testing for Laravel Multi-Tenancy

TODO

Type Checking (TS/PHP)

TODO

Validating Security Headers with cURL

TODO

curl -i https://yourdomain.com

The Final Action

Find the completed security-checks.yml file below, to be tweaked and added into the Laravel project.

name: 'Security Checks'
on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read

jobs:
  TODO ADD THE REST OF THE JOBS WHEN FINISHED