Setting up a custom security analyzer in SourceCraft

In this tutorial, you will set up SourceCraft not only to help you with coding but also to scan the code for vulnerabilities and misconfigurations. You will do it by hooking up a code analyzer and linter to the repository and integrating the scan results directly into the pull request.

To set up a custom analyzer in a SourceCraft repository:

  1. Create a repository.
  2. Set up an analyzer.
  3. Create a pull request.
  4. Check the result.

If you no longer need the resources you created, delete them.

Create a repository

Create a repository in SourceCraft and enable security scanning.

  1. Open the service home page.

  2. In the left-hand panel, click Create repository.

  3. In the window that opens, select Blank repository.

  4. Under Your new repository details:

    • In the Owner field, select the organization.

    • In the Name field, specify a name for the repository.

      The name must be unique within the organization. The name may contain the following ASCII characters: lowercase and uppercase Latin letters, numbers, commas, hyphens, and underscores.

      The address to access the repository at is displayed below the name.

  5. Under Configuration, enable Initialize repository with a README.

  6. Click Create repository.

  7. Wait until the repository is created, then navigate to Security under Repository settings on the repository page.

  8. Enable Security scanning.

Set up an analyzer

Set up CI/CD to run a custom security analyzer. Do it by creating a configuration file that defines two pipelines: one to run Golangci-lint and the other to run Semgrep, the static analysis tool.

For SourceCraft integration, make sure your analyzers outputs the results in SARIF format. This format supports standardization of static analysis results and their integration into the platform's UI.

  1. On the Home tab, navigate to Your craftspace Repositories.

  2. Select the repository you created earlier.

  3. Under Code on the repository page, go to Overview.

  4. Click New File.

  5. In the window that opens, specify the .sourcecraft/ci.yaml file path and click Create file.

  6. Insert the following code:

    on:
  pull_request:
    - workflows: [ security-pipeline1, security-pipeline2 ]
      filter:
        source_branches: [ "**" ]
        target_branches: [ "main", "develop" ]

  push:
    - workflows: [ security-pipeline ]
      filter:
        branches: [ "main", "develop" ]

workflows:
  security-pipeline1:
    tasks:
      - name: golangci-lint-security-scan
        cubes:
          - name: env
            script:
              - env
          # Step 1: Run your security scanner
          - name: run-security-scanner
            image:
              name: golangci/golangci-lint:v2.5.0-alpine
            script:
              - cd $SOURCECRAFT_WORKSPACE
              - golangci-lint run --output.sarif.path $SOURCECRAFT_WORKSPACE/result.sarif || true

          # Step 2: Optional - Debug/validate results
          - name: validate-scan-results
            script:
              - cat $SOURCECRAFT_WORKSPACE/result.sarif

          # Step 3: Upload results to SourceCraft
          - name: upload-sarif-to-sourcecraft
            image:
              name: sourcecraft/scan-result-uploader:0.6.0
            script:
              - export APPSEC_CUSTOM_ENGINE_NAME="golangci-lint"
              - /app/bin/scan-result-uploader

  security-pipeline2:
    tasks:
      - name: semgrep-security-scan
        cubes:
          - name: env
            script:
              - env
          # Step 1: Run your security scanner
          - name: semgrep-scan
            image:
              name: semgrep/semgrep:latest
            script:
              - semgrep --config=auto --sarif --output $SOURCECRAFT_WORKSPACE/result.sarif $SOURCECRAFT_WORKSPACE || true

          # Step 2: Optional - Debug/validate results
          - name: validate-scan-results
            script:
              - cat $SOURCECRAFT_WORKSPACE/result.sarif

          # Step 3: Upload results to SourceCraft
          - name: scan-result-uploader
            image:
              name: sourcecraft/scan-result-uploader:0.6.0
            script:
              - export APPSEC_CUSTOM_ENGINE_NAME="Semgrep OSS"
              - /app/bin/scan-result-uploader

  7. In the top-right corner, click Commit changes.

  8. In the window that opens, do the following:

    1. In the Commit message field, enter this comment:

      Setting up a security analyzer

    2. Under Commit branch, select Save directly to the branch: main.

    3. Under After commit action, select Just commit.

    4. Click Commit changes.

Create a pull request

Create a test file and a pull request to automatically run security checks.

This example uses test code from OWASP Juice Shop, an intentionally vulnerable web application created for security training. You can check it out in the juice-shop GitHub repository.

  1. On the Home tab, navigate to Your craftspace Repositories.

  2. Select the repository you created earlier.

  3. Under Code on the repository page, go to Overview.

  4. Click New File.

  5. In the window that opens, specify the path with the file name, e.g., routes/redirect.ts, and click Create file.

  6. Copy and paste the code from the relevant file in the juice-shop repository.

  7. In the top-right corner, click Commit changes.

  8. In the window that opens, do the following:

    1. In the Commit message field, enter this comment:

      Security analyzer test code

    2. Under Commit branch, select Create a new branch for these changes and enter test-analyzer for branch name.

    3. Under After commit action, select Commit and create a new pull request.

    4. Click Commit changes.

  9. In the Create pull request window that opens, click Publish pull request in the top-right corner.

    You will now see the pull request page showing the checks currently running. Refresh it and wait for the security-pipeline1 and security-pipeline2 checks to complete.

Check the result

Check the security scan output shown on the pull request page and containing the following information:

  • Comments and warnings from the pull request author.
  • List of results from the configured analyzers and linters.
  • Detailed descriptions of detected issues with their locations in code.

  1. On the Home tab, navigate to Your craftspace Repositories.

  2. Select the repository you created earlier.

  3. Under Code on the repository page, go to Pull requests.

  4. Select the test-analyzer pull request.

  5. Under Activity, review the comments from SourceCraft Security Bot.

    Here is an example of a comment based on the check results:

    ...
res.redirect(toUrl)
...

🔒 [Semgrep OSS] has found the potential problem

⚠️ Problem: The application redirects to a URL specified by user-supplied input query that is not
validated. This could redirect users to malicious locations. Consider using an allow-list approach
to validate URLs, or warn users they are being redirected to a third-party website.

Short Description: Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect

Full Description: The application redirects to a URL specified by user-supplied input $REQ that is
not validated. This could redirect users to malicious locations. Consider using an allow-list
approach to validate URLs, or warn users they are being redirected to a third-party website.

How to delete the resources you created

If you no longer need the repository you created, delete it.

See also

Previous
AI-powered vulnerability analysis
Next
Overview