JS Security Testing in GitHub Actions


I attended a workshop on security testing during Node Congress 2022.

Here are some key takeaways:

Dynamic Application Security Testing

StackHawk is a DAST tool built upon OWASP ZAP. For example, it can scan a running application and then displays on a dashboard the different scans that classify the potential security risks by severity.

I integrated StackHawk with my Next.js blog using GitHub actions. There are two config files that are added before StackHawk can start scanning: the GitHub workflow file and the configuration file that contains the endpoint to scan.

What I find particularly interesting with this tool is that for each potential security risk, there is a clear explanation of the problem. And from this explanation, you decide how to act on the issue: image