Keeping infrastructure secure on every commit with Bridgecrew and GitHub

As a developer-first platform, we are committed to continually improving the technology that powers our platform and the workflows that provide access to it.

We know that in order for teams to harness the value of infrastructure-as-code security fully, it needs to be accessible in existing tools and embedded seamlessly into existing workflows. That’s why we’re always looking for new ways to make the Bridgecrew developer experience better. Our GitHub integration is a huge part of that pursuit.

For over 40 million developers, GitHub is where code happens. And for us at Bridgecrew, that means its where security should happen too. GitHub was the first VCS we integrated with, and GitHub Actions was the first CI/CD service we natively supported. Since releasing those integrations earlier this year, we have deepened our capabilities to provide more contextual, timely, and actionable feedback.

Integrating Bridgecrew and GitHub

Bridgecrew’s GitHub integration provides Bridgecrew with access to the infrastructure-as-code (IaC) repositories we help keep secure. Bridgecrew has support for scanning Terraform files, CloudFormation templates, Serverless Framework files, Kubernetes YAML, and ARM Templates. Just integrate via our Marketplace App or through the Bridgecrew platform.

Note: Bridgecrew also has support for GitHub Enterprise.

Once integrated, you’ll get instant feedback as to how your infrastructure stacks up against hundreds of policies, security best practices, and known misconfigurations.

Continuous scanning with Bridgecrew and GitHub

To effectively enforce policies within your ever-changing infrastructure code, you need to be able to scan for misconfigurations continuously. The best way to ensure you’re not introducing misconfigurations into your IaC and enforce policies on every commit or pull request is by embedding scanning directly into code review process.

When connected to a repository, Bridgecrew now automatically scans whenever changes are pushed to an infrastructure-as-code file. Detected issues will get reported back to GitHub as inline pull request comments containing full details about each failure such as policy name, severity, and resources affected.

To investigate further and take action, head to the Bridgecrew platform where you can see the proposed fix as well as rich context and rationale behind the policy. Bridgecrew’s platform helps teams keep track of violations over time and keep an eye on areas that need attention.

GitHub Actions

In addition to Bridgecrew’s pull request initiated scanning, we also support GitHub Actions to automate IaC scanning as part of your existing build pipeline and test suite.

To connect Bridgecrew to GitHub Actions, create a new GitHub Secret for your Bridgecrew API Key, and add a new job such as:

-	name: Run Bridgecrew 
	id: Bridgecrew
	uses: bridgecrewio/bridgecrew-action@master
	with:
		api-key: ${{ secrets.BRIDGECREW_API_KEY }}

Regardless of how you do it, enforcing policies consistently and continuously enables you to automatically prevent misconfigurations from being deployed in the first place, saving time and resources spent manually checking configuration or fixing deployed issues down the line.

Pull request fixes

In addition to finding and preventing cloud security issues via IaC scanning, Bridgecrew’s GitHub integration also supports fix implementation. When issues are identified, Bridgecrew provides the fix in the form of a pull request, which includes not just the guidelines and context for the impacted resources and policies but also the actual code that’s ready to merge and deploy.

By implementing security-as-code, Bridgecrew empowers security and engineering teams alike to bypass endless ticket creation and implement fixes where they need to happen—in the source code.

It’s our mission to make cloud security more accessible in the day-to-day engineering processes already in use. We look forward to continuing to deepen our integration with GitHub. Stay tuned!