Source code repositories are the cornerstone upon which the foundation of DevOps was built. Certainly, GitHub is one of the largest and most popular of these. With the Winter22 release of DigitSec S4, it extends its GitHub integration to add more value to your repository. You can now work through pull requests by exporting S4 Salesforce security scan results in SARIF (Static Analysis Results Interchange Format) back into the pull request comment. This allows you to quickly and easily identify vulnerabilities between your Source (pull request branch) and Destination (master or dev) branch code.
Modern dev teams truly know the value of being able to work with GitHub to exchange and evaluate code. It allows them to see each other’s work more clearly, allowing them to comment, question and track code throughout the software development cycle (SDLC). Being able to quickly compare the differences between versions of a file is extremely powerful. When integrated properly, S4 will now run a Salesforce security scan on both the Destination code and the Pull Request code. Two scans initiated at the same time!
Our documentation walks through several common scenarios, demonstrating with screenshots what a user might see and as they work on their project. The first scenario demonstrates an existing vulnerability in the Master code and the developer is working on a different feature/function in their pull request. The second scenario focuses on when a pull request might introduce new issues/alerts to the code. The final scenario describes a developer resolving an issue that existed in the Master Code.
Accelerating Salesforce development is one of S4’s key value propositions. We strongly believe that empowering Salesforce developers to identify security vulnerabilities early in the SDLC yields tremendous dividends. It resolves those issues practically as they are written, rather than waiting for a Salesforce security review much later in the process. Exporting S4 scan results in SARIF aligns the collaboration and issue tracking capabilities of GitHub in an extremely powerful and useful way.