No results found.

Security & Risk October 2023

Automated CI Malware & Vulnerability Scanning

Malware detection, static security analysis, and dependency vulnerability scanning integrated as CI gates — running on every code change, blocking on detection, and alerting on new CVEs against installed package versions.

Every PR
Scan cadence
Pre-merge
Detection point
0 post-adoption
Supply chain incidents

The Problem

Supply chain attacks against Magento stores are an active and documented threat. Compromised third-party extensions, malicious code injected via stolen developer credentials, and known-vulnerable package versions represent real attack vectors — and they’re silent without active monitoring. A standard code review process doesn’t catch a malicious pattern injected via a dependency; a quarterly security audit doesn’t catch a vulnerable package version introduced last sprint.

The window between code introduction and detection matters. A credit card skimmer that reaches production and runs for weeks is categorically different from one caught before deployment.

The Solution

A three-layer security scanning integration running as CI gates on every code change. No deploy to production without passing all three layers.

Layer 1 — Malware Pattern Detection (SanSec Ecomscan)

SanSec Ecomscan runs against the full application codebase on every PR targeting a production-equivalent branch. The scanner maintains a database of known malicious code patterns: web shells, Magecart credit card skimmer variants, cryptocurrency miners, and general-purpose backdoors common in Magento compromises.

Any match blocks the CI run with the finding and affected file reported in the PR check. False positives are low — the scanner uses signature-based detection tuned specifically for the Magento ecosystem by the team at Sansec, who maintain the most comprehensive Magento malware database publicly available.

Layer 2 — Static Security Analysis (Semgrep)

Custom Semgrep rulesets written for Magento-specific security patterns. Standard open-source PHP rulesets catch generic issues; the custom ruleset catches Magento-specific ones:

  • Unescaped output in PHTML templates: echo $variable or print in template files without escapeHtml() — XSS risk
  • SQL string concatenation: Query construction using string operators rather than parameterised queries or the Magento resource connection query builder
  • Missing ACL on admin controllers: Admin endpoints without _isAllowed() implementation
  • Direct object reference patterns: Loading model by user-supplied ID without ownership verification
  • Session fixation patterns: Session ID retention across authentication state change

Semgrep runs on changed files per PR (fast, targeted) with a full repository scan run weekly on the main branch (comprehensive, slower). Per-PR scan completes in under 60 seconds.

Layer 3 — Dependency Vulnerability Scanning

composer audit: Runs on every PR. Checks installed PHP packages against the PHP Security Advisories database. Any package with a known CVE that matches the installed version range surfaces as a CI warning (or block, depending on severity tier).

Trivy: Docker image scanning against the container manifest. Catches OS-level vulnerabilities in the PHP base image, web server packages, and other system dependencies — the layer below PHP that composer audit doesn’t see.

Dependabot: Monitors the dependency graph and opens PRs automatically when new CVEs are published against installed versions. PRs carry the CVE detail, severity, and whether a fix is available. The response pipeline picks these up for critical severity findings.

Gate Integration

All three layers run as parallel GitHub Actions jobs. Results aggregate to the PR check suite:

  • Clean: single green check with a brief “no findings” summary
  • Findings: failed check with finding detail, affected file or package, and (for Semgrep) a link to the relevant rule documentation

Merge is blocked on any failed gate. Override requires an authorised engineer to explicitly dismiss the finding with a recorded justification — no silent bypasses.

Impact

The detection point for new security issues has moved from post-production audit to pre-merge CI check. Issues caught at the PR stage cost minutes to address. Issues caught post-production cost incident response time, potential customer impact, and the reputational overhead of a security incident.

The continuous Dependabot monitoring means new CVEs against production-installed packages surface within hours of publication — the team has awareness and a PR ready before a manual audit would have identified the risk.

No compromised code has reached any managed production store via a supply chain attack since the scanning pipeline was adopted. The pipeline has flagged test files, development tooling, and third-party extension code that matched malware patterns — each finding investigated, assessed, and resolved before reaching production.