A Practical Guide to Implementing Security Scans in Your Projects Using Projen
Hello everyone! My name is Silviana, and I’m excited to share insights on how to implement enrollment security scans using Projen. Before we dive into the details, let me briefly introduce myself. In my 9-to-6, I’m a software engineer at Handshakes, where I focus on infrastructure as code, CI/CD pipelines, and backend services. During my 6-to-9, I volunteer with tech communities in Singapore, particularly the AWS User Group and the AWS Security Meetup Group. In this article, I’ll guide you through how to leverage Projen to streamline project setup and security scanning.
Key Abbreviations
Before we begin, let’s cover a few abbreviations that will be important throughout this article and the demo.
- SCA: Software Composition Analysis – the process of detecting vulnerabilities in open-source dependencies and third-party libraries.
- SAST: Static Application Security Testing – an approach to identifying security flaws in source code without executing it, focusing on known vulnerabilities such as SQL injection, cross-site scripting (XSS), and hard-coded credentials.
- CI/CD: Continuous Integration/Continuous Deployment – a practice within the DevOps lifecycle to automate software build, test, and deployment processes.
Introduction to Projen
Projen is a powerful project generation tool, particularly suited for managing configurations in modern TypeScript projects. Initially developed by the AWS CDK team, Projen addresses a key pain point in software development: managing the multitude of project configurations such as dependencies, compilers, linters, CI workflows, and security patches. Traditionally, developers have used project templates, GitHub repositories, or scaffolding tools like Create React App. However, these methods often result in manual updates and a significant cognitive load for teams.
Projen automates this configuration management across multiple projects, allowing for easier updates and reduced manual effort. What makes Projen even more compelling is that it offers organization-wide project configuration updates and comes with built-in strong, typed APIs that work seamlessly with tools like IntelliSense.
Let’s explore how to get started with Projen:
- Ensure you have Node.js, NPM, and Yarn installed.
- Run the following command to scaffold a new TypeScript project:
This command will create a project with default configurations such as ESLint, TypeScript configurations, and .gitignore
files. Projen also generates a .projenrc
file, which contains the configuration details of your project in a manner similar to AWS CDK apps.
Projen Concepts
To understand how Projen works, we need to look at its key components:
- Components: These represent the self-contained features of a project, such as ESLint configuration or security scanning functionality.
- Tasks: These are the workflows that define how certain activities, such as building or compiling the project, are handled.
- Dependencies: These represent the project’s dependencies and can be automatically managed by Projen.
- Projects: A project is essentially a combination of components, tasks, and dependencies, which can be customized for different languages and use cases (e.g., TypeScript, Python, Java).
CI/CD Flow with Security
Let’s take a look at how a typical software engineer might work with CI/CD and security scans in their project. We’ll follow the journey of our engineer, Ash, through a typical development cycle.
- Local Development: Ash starts by writing code on their local machine. Ideally, Ash should run a security scan locally before pushing code to the repository. This can be automated using a Projen task.
- CI Process: Ash pushes their code to a repository, which triggers a pull request (PR). A CI workflow will run to test the code and execute security scans such as SCA (Software Composition Analysis) and SAST.
- CD Process: Once the PR is approved and merged into the main branch, the CD pipeline will deploy the changes.
Projen can generate GitHub workflows for both SCA and SAST security scans. You can also configure Projen tasks to run security scans locally to catch vulnerabilities early.
Live Demo: Projen in Action
Now, let’s look at how to implement security scanning in Projen. I’ve created a Projen project that includes a security scanning component using the tool Snyk. You can check the live demo here. In summary, Here’s how you can set it up:
In your Projen project, add the SCA and SAST components by extending the base TypeScriptProject
class.
- Create a new task in the
.projenrc
file that defines how to run the Snyk security scan locally:const snykScan = new Task(this, 'snyk:scan');
snykScan.exec('snyk test'); - Projen will also generate GitHub workflows to automate these scans as part of your CI/CD pipeline. For example:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Run Snyk Test
run: snyk test
Projen’s Use of JSII
One of the key features of Projen is its use of jsii, a technology that allows JavaScript and TypeScript libraries to be consumed in other programming languages such as Python, Java, and .NET. This is what allows Projen to support multiple programming languages while being implemented in TypeScript.
For instance, in my security scanning project, I’ve written components in TypeScript but have also created corresponding Python and Java projects. These projects inherit from the base TypeScript project, which demonstrates the versatility of jsii in cross-language library development.
Security Scanning Implementation in Projen
Let’s get into the details of how we implemented the security scanning component in our Projen project.
- Initialize the Project: Start by creating a Projen project using
npx projen new typescript
and extend theTypeScriptProject
class to add the Snyk security scanning component. - Create a Security Scan Task: Inside your
.projenrc
file, add the security scan task:this.addTask('sca', {
exec: 'snyk test',
}); - Create GitHub Workflows: Projen will automatically generate the necessary GitHub workflows to run SCA and SAST during your CI process. If any vulnerabilities are detected, the workflow will fail, ensuring that insecure code doesn’t make it to production.
- Run the Security Scans: Once the tasks and workflows are set up, you can run the security scans locally using Projen’s task runner:
npx projen sca
Conclusion
Projen is a robust tool that not only simplifies the process of managing configurations for TypeScript projects but also enables seamless security scanning integration. By automating both local and CI/CD security scans, Projen helps to ensure that vulnerabilities are caught early in the development lifecycle, making it easier for teams to maintain secure codebases. With the added benefit of jsii, you can write your projects in TypeScript and use them across multiple programming languages.
Thank you for reading! I hope this article has given you valuable insights into implementing security scans in your projects using Projen. If you have any questions or want to connect, feel free to reach out to me via LinkedIn or at one of the AWS User Group meetups in Singapore.