That Time Our Own Security Tools Came to the Rescue
How SonarCloud and Pixeebot Secured Our Code
Introduction
At Pixee, we rely on our development tools to improve efficiency and maintain the high security standards necessary for today’s software applications. That’s where our story picks up today. We are seeing some duplicate processing related to the handling of a downloaded zip file. To achieve this, we planned to migrate the storage of a zip file from Amazon Elastic File System (EFS) to Amazon S3—a change aimed at simplifying our architecture and boosting performance.
The Problem
During sprint planning, a potential issue was flagged concerning a well-known class of vulnerabilities related to zip files. Zip Slip can occur when extracting files from a zip, allowing an attacker to overwrite important files, leading to remote code execution or other serious side effects.
Automated Security Checks Kick In
As the team was completing their work, a pull request was submitted to gather human, test, and tool feedback. The Sonarcloud GitHub App immediately began reviewing the new code for security issues. Within minutes, it identified a Zip Slip vulnerability, failing a Quality Gate and blocking any code merges.
Our project is configured to share any Sonar findings with Pixeebot. These findings triggered a pixeebot action that generated a fix for the newly identified vulnerability!
Seamless Security and Development
The developer quickly reviewed and merged Pixeebot’s pull request with their original changes. This merge corrected the issue, satisfying Sonarcloud’s Quality Gate, prevented the issue from impacting the production environment, keeping our customers safer.
Reflection
This experience underscored the invaluable safety net provided by our security tools. It wasn’t just about preventing a potential security issue; it was a testament to how well-integrated solutions can work in concert to not only detect but also rectify issues swiftly and efficiently. Seeing our tools perform flawlessly under pressure was both reassuring and inspiring.
Conclusion
For any of my peers in the software security industry, this incident highlights the importance of automated security within CI/CD pipelines. It’s a reminder of the power of tools like Sonarcloud and Pixeebot to not only find but fix problems, ensuring that our applications are not just functional but fundamentally secure.
Through proactive security practices and the right tools, we can make significant strides in protecting our infrastructures and data. Let our story be a reminder of the continuous vigilance and innovation needed in our field.
To learn more about integrating Pixeebot with your security tools, head over to https://docs.pixee.ai/code-scanning-tools/overview/