Projects

Announcing Precaution – A New Open Source GitHub App That Automatically Scans Pull Requests for Security Vulnerabilities

 

PrecautionOur team is announcing the initial public release of Precaution, an open source GitHub app for automatically scanning pull requests for security issues. With Precaution installed, all pull requests in your repo are automatically scanned by a security linter like Bandit (for Python) or GoSec (for Go) as they are posted.

When the linter finds an issue, Precaution directly annotates the pull request code with a description of the potential problem, significantly reducing the likelihood that insecure code will be merged into your main code base. Precaution is available for installation to your repo from the GitHub app directory. Just click the standard install button to set it up.

The app’s annotations, flagging potential problems, echo the functionality and capabilities of the linter being deployed. Code is marked with a ℹ️Notice, ⚠️Warning, or ❌ Error depending on the severity of the issue found.

Precaution

Currently, Precaution works only for Python and Go, but we’re planning to add additional languages. We welcome contributions from anyone interested in helping us increase Precaution’s reach.

Like many open source innovations, Precaution grew out of a need of our own for which we couldn’t find a solution: We wanted a way to easily and automatically scan the code we were writing for potential security issues. It’s possible to manually configure an ad hoc automated scanner for a specific project, of course. But each time you move on to a new project, you need to write the script fresh, decide which linters to run, choose how the results should be visualized to the user, and so on. We figured there ought to be an app that takes all that work off the table.

The solution we came up with makes use of GitHub’s new checks API feature that was introduced back in May. This allows developers to create tools that annotate code directly on GitHub itself, where before annotations could only be noted as links that took you out to third-party websites. We began thinking about the app in July, worked up a proof of concept over the summer and early fall, and then did the Python and Go coding in the last couple of months. In recent weeks, we’ve been deploying it ourselves and working on making it more user friendly. Now we’re inviting other users to give it a try—let us know what you think, and contribute too if you can.

Looking ahead, in addition to adding new languages and linters, we’d like to make it possible to customize the linter scans that run on your code. Your code might give you a lot of false positives on certain kinds of tests, for example, or the linter might flag issues that aren’t a huge concern for the kind of code you are writing. So, we’d like to offer the option of picking which tests to automatically run.

When we have new functionality like that to announce, we’ll let you know here so be sure to stay tuned to the Open Source Blog and follow us on Twitter (@vmwopensource) for any new updates.