Contextual software security microtraining for issues and pull requests, powered by the SecureFlag knowledge base.

This app responds to issues and pull requests that mention security vulnerabilities, with information from the SecureFlag Knowledge Base. Each reply includes an overview of everything a developer needs to know in order to understand and remediate a given type of vulnerability, including example code!

We know that not all developers are security professionals, so CWE (Common Weakness Enumeration) numbers for common vulnerabilities are mapped to the Knowledge Base, providing an easier to ingest description of the vulnerability.

Usage

Issues and Pull Requests

Simply mention a software vulnerability by name or CWE number in a pull request or issue, in either the title or body, and the bot will reply. Common abbreviations are supported as well.

For example:

Hey, there's a CSRF vulnerability here. Please fix ASAP.

Thanks for spotting this. This pull request fixes the vuln mentioned in issue 123. CWE 352.

Hm, there is another cross site request forgery vulnerability. Please audit all HTML forms.

All the above leads to the below response:

You can expand the "Read More" section to view further details as well.

Vulnerability Alerts from GitHub Code Scanning

When an issue contains a link to a code scanning alert, such as when an issue is created from a vulnerability alert through the GitHub UI, the bot will look at the vulnerability identified and search for applicable remediation advice. Here's how it works step-by-step:

1. Go to your Code Scanning vulnerability alerts
   

2. Select an alert to make an issue out of, and click the "Create issue" button
   

3. If the bot finds anything, it will respond!
   

Feedback

Want a new feature? Something not working right? We want to hear it! Please get in touch with us using our contact form here.