New Accurics App Gives GitHub Users New Code Scanning Feature
- By John K. Waters
- October 8, 2020
Cloud security provider Accurics this week announced a new GitHub application designed to further automate the programmatic enforcement of security policies throughout the software development workflow.
The Accurics platform and the Terrascan tool for detecting compliance and security violations across Infrastructure as Code (IaC) have both been accessible through GitHub Actions for a while. Terrascan is accessible through the popular Super-Linter action. The Accurics platform is available through the company's own action.
The new GitHub App adds an option for the automation of that enforcement, explained Accurics developer advocate Jon Jarboe, in a blog post. It provides a library of more than 500 policies aligned with compliance standards, such as the CIS benchmark. New commits and pull requests are automatically scanned for policy violations, and when security risks are found, they are added to the PR and/or repo as issues.
By adding Accurics to code scanning, any GitHub user can automate the elimination of security risks from their infrastructure as code before and after deployment, Jarboe said.
"Given the success of high-velocity DevOps teams, we believe that self-healing infrastructure is the only way to embed security into DevOps without breaking it," Jarboe added. "Reactive processes that require manual actions simply cannot keep up. The rapid adoption of infrastructure as code provides an excellent opportunity to implement guardrails throughout the development lifecycle, starting in the earliest stages.
The new GitHub Accurics App was part of the GitHub announcement this week for integration with new third-party code scanning tools for IaC and container scanning.
"By expanding our GitHub security ecosystem, developers can use their tools of choice for any of their projects on GitHub, all within the native GitHub experience they love," said GitHub senior business development manager Jose Palafox, in a blog post. "Our integrations tightly couple the developer workflow with a security review through GitHub Actions and Apps."
Along with Accurics, GitHub announced integrations with 42Crunch (API Contract Security Audit), Bridgecrew (developer-first platform for streamlining cloud security), Snyk Infrastructure as Code and Snyk Container security platforms, Aqua Security (pure-play cloud native security company), and Anchore (enterprise container security workflow solution).
The Pleasanton, CA-based Accurics focuses on enabling "immutable security for immutable infrastructure, so that organizations can embrace cloud native technologies with confidence." The company's namesake solution seamlessly scans IaC for misconfigurations based on common policy frameworks and detects potential breach paths to eliminate risks before cloud infrastructure is provisioned. It then monitors provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
"GitHub is a luminary in the software development world," Jarboe said, "and we're excited to work with them to help deliver to their users the ability to programmatically detect and fix security risks through its new code scanning."
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].