How to Use Mayhem With Github Actions to Easily Secure Your Applications

At ForAllSecure, our mission is to make security easy to use and easy to integrate with your existing development process. On that note, we’ve released our Mayhem GitHub Action, making it easier than ever to secure your applications using Mayhem in a GitHub CI/CD pipeline (for free!).

In this blog post, we’ll walk through the following:

1. What is the Mayhem GitHub Action?
2. How does the Mayhem GitHub Action Work?
3. How do I integrate the Mayhem GitHub Action?
4. How do I contribute to the Mayhem GitHub Action?

What is the Mayhem GitHub Action?

The Mayhem GitHub action allows you to use Mayhem with GitHub Actions, automating security testing for your applications hosted on GitHub.

How Mayhem Automates Your Workflow 

With the Mayhem Github action, your job as a developer becomes much easier:

1. You integrate the Mayhem GitHub Action into the GitHub repository containing your application source code, executing security testing for your application using Mayhem via a CI/CD pipeline.
2. With Mayhem integrated within a CI/CD pipeline, all new commits to the master or main branch (as well as branch pull requests) will execute a new Mayhem run to test your application.
3. If workflows pass: Great! Mayhem has not detected any issues in the application! No need to continue with the next few steps.

If a workflow fails: Mayhem has identified a defect in the application.

4. You can then create a pull request to then fix the source code causing the vulnerability in the application. Mayhem will then build and test the updated containerized application as well as use previous test cases to ensure that no new defects have been introduced with the update.
5. If the workflow passes in the pull request, then the developer knows that their update not only fixes the previous vulnerability, but also that their update has not introduced any new defects.
6. The developer merges their fix.

As you can see, automating security testing with Mayhem saves not only manual security testing effort, but—more importantly—time. That’s a lot of value from automating the traditional DevSecOps workflow!

How Does the Mayhem GitHub Action Work?

The Mayhem Github Action has two jobs: building your application within a Docker container and testing your containerized application.

For example, a Dockerfile for an application might look like this:

FROM debian:buster-slim as builder1
RUN apt-get update && \
apt-get install -y gcc make libc6-dbg && \
rm -rf /var/lib/apt/lists/*
COPY Mayhemit.c .
RUN gcc Mayhemit.c -o /Mayhemit

image: forallsecure/c-base-executable:latest # fields will be
project: mayhem-examples # overridden at
target: c-base-executable # CI run creation time
duration: 90
cmds:
- cmd: /mayhemit @@

‍

Once the workflow is kicked off, the Mayhem GitHub Action will build the Docker image using the specified Dockerfile and execute a Mayhem run for the containerized target application using the configuration specified in the Mayhemfile. In this case, Mayhem builds and tests the Mayhemit binary.

After Mayhem's test run completes, you'll be able to see your results within your GitHub repo under the code scanning tab, in your pipeline step, or in the Mayhem UI.

Note: Got several applications you’d like to test? No problem, we’ve also made it so that the Mayhem GitHub action can work with multiple targets or applications.

How Do I Integrate the Mayhem GitHub Action?

To integrate the Mayhem GitHub Action into your GitHub repository so that you can take advantage of Mayhem in a CI/CD pipeline, you’ll need to complete the following steps:

1. Register for an account at mayhem.forallsecure.com
2. Set up GitHub Secrets and package visibility settings for your GitHub repository.

1. Add Mayhem_TOKEN as a GitHub Secret. This is your Mayhem token generated at mayhem.forallsecure.com.
2. Ensure your repository's package visibility settings are set to Public to give Mayhem permissions to ingest your Docker image from the GitHub Container Registry.
   (Click on your package in the right-hand pane of your GitHub repository and go to Package Settings. Then, scroll down to Package Visibility and set the package to Public.)

1. Create a Dockerfile for your containerized application.
2. Create a Mayhemfile for configuring the Mayhem run on your containerized target application invoked by the Mayhem GitHub Action.
3. Create a Mayhem.yml workflow at .github/workflows/Mayhem.yml that builds and pushes a Docker image and uses the Mayhem GitHub Action to test your containerized application in a CI pipeline. You will need to specify the location of your Dockerfile and Mayhemfile.

For example, a Mayhem.yml file would look like the following:

name: Mayhem
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}

jobs:
build:
name: 'build'
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
shared: [false]
build_type: [Release]
include:
- os: ubuntu-latest
triplet: x64-linux

steps:
- uses: actions/checkout@v3
with:
submodules: recursive

- name: Log in to the Container registry
uses: docker/login-action@v2.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v4.1.1
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

- name: Set lowercase image name
run: |
echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}

- name: Build and push Docker image
uses: docker/build-push-action@v3.2.0
with:
context: .
push: true
file: Dockerfile
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}
labels: ${{ steps.meta.outputs.labels }}

outputs:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH_NAME }}

Mayhem:
needs: build
name: 'fuzz'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
Mayhemfile:
- Mayhem/Mayhemfile.lighttpd
- Mayhem/Mayhemfile.Mayhemit
# Specify one or many Mayhemfiles here

steps:
- uses: actions/checkout@v3

- name: Start analysis for ${{ matrix.Mayhemfile }}
uses: ForAllSecure/Mayhem-action@v1
with:
Mayhem-url: ${{ secrets.Mayhem_URL }}
Mayhem-token: ${{ secrets.Mayhem_TOKEN }}
args: --image ${{ needs.build.outputs.image }} --file ${{ matrix.Mayhemfile }} --duration 60
sarif-output: sarif

- name: Upload SARIF file(s)
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif

‍

Still have questions? Take a look at the mcode-action-examples repository to view working examples. 

How Do I Contribute to the Mayhem GitHub Action?

Developers are more than welcome to fork our Mayhem GitHub Action repository and make any potential changes to the source code that they see fit. After creating your own fork, modify the source code in main.ts and execute make dist-rebuild to rebuild the Mayhem Action. When ready, push your changes and create a pull request for us to review!

If you’d prefer to test your changes before you post them up to us for review, execute the following commands to tag a specific commit and push it to your remote forked repo:

git tag v1-dev
git push origin v1-dev

- name: Start analysis for ${{ matrix.Mayhemfile }}
uses: Andrew5194/Mayhem-action@v1-dev

Summary

The Mayhem GitHub action allows you to use Mayhem with GitHub Actions. If you have any feedback, feel free to either create an issue on our Mayhem GitHub Action repo, create your own fork accompanied by a pull request, or contact us at community.forallsecure.com.

‍

{{code-cta}}