Want to find out more? We will be at Embedded World 2023<\/a>, so come and chat with us there<\/a>! We\u2019ll be at stand no. 4-501a in Hall 4.<\/p>\n<\/div>\n
In this post, we explore how GitHub can add value throughout the development lifecycle when designing, building, and deploying systems of this kind.<\/p>\n
Collaborative development<\/span><\/a><\/h2>\nWe know that software development starts with a well-understood plan. The fun part comes once your team has a clear plan, writing the code and shipping incredible experiences for your users! GitHub assists with all areas of the software development cycle, from plan to build, to deployment and continuous feedback.<\/p>\n
Fundamentally, this all starts with version control software. GitHub has been around since 2008, and you probably know the platform because of our Git version control capabilities (though, you\u2019ll understand there\u2019s a lot more to GitHub these days!). Prior to 2008, source code management took many different forms.<\/p>\n
From a software development perspective, storing your code in version control is critical to unlocking the many benefits that we can gain from modern software engineering practices. Storing our code in a Git repository in GitHub provides:<\/p>\n
\n- A fully traceable history of the development on our codebase.<\/li>\n
- Engineering teams with the ability to work in separate branches, so they don\u2019t interfere with each other’s active work in development.<\/li>\n
- The ability to rollback to a prior version of the codebase if needed.<\/li>\n
- The option to add branch protection rules<\/a> to the production codebase, so that all changes must be peer-reviewed or pass a set of automated quality gates before being merged.<\/li>\n
- And much more!<\/li>\n<\/ul>\n
These few bullet points highlight how version control is vital to developing these critical systems. With a detailed set of historical changes, the ability to add quality gates with branch protection rules and mandatory peer-reviews via pull requests, compliance suddenly becomes part of the process, as opposed to an afterthought or some additional set of boxes to check.<\/p>\n
Security in everything that you do<\/span><\/a><\/h2>\nThink about these types of systems from a security perspective. What happens if someone was able to take over a set of embedded computers in a vehicle? The impact of this would depend on which specific systems, but could potentially be catastrophic. For safety systems, then it could potentially lead to loss of life.<\/p>\n
With that context, security, understandably, should be a high priority for development teams making these critical systems. At GitHub, we believe that security is everyone\u2019s responsibility, and should not be an afterthought, or a one-time review before go-live. Instead, it\u2019s something which can, and should, be incorporated into the development workflow. Just like compliance in the above section, it\u2019s something that becomes a part of what you do every day.<\/p>\n
GitHub has several tools that can help you to bring security into your workflow. Let\u2019s explore some of them a little further.<\/p>\n
Securing the code that you write<\/span><\/a><\/h3>\nOne of your first concerns may be the code that you write. We are human, and we are not perfect, so we don\u2019t always write perfect code. Earlier, we talked about branch protection rules as an option to add quality checks into our development lifecycle. What if we could add security as one of those quality checks, and review the code that we have written?<\/p>\n
This is where GitHub code scanning capabilities come in. You can think of this from two perspectives; CodeQL<\/a> (GitHub\u2019s built-in code analysis engine that powers code scanning) and third-party integrations<\/a>.<\/p>\nCodeQL supports several languages, including C, C++, Java, and Python<\/a>; all common languages when building embedded systems. CodeQL is able to translate your code into a database-like structure. You\u2019re then able to use a number of queries made by GitHub out-of-the-box, and can expand these with queries from the open source community to identify patterns that occur in your codebase, such as injection or buffer overflow vulnerabilities.<\/p>\nA CodeQL scan can be executed as part of the pull request flow that we mentioned earlier. So, security now becomes another check as part of your quality assurance process, before merging code into your production codebase.<\/p>\n
![\"Screenshot](\"https:\/\/github.blog\/wp-content\/uploads\/2023\/03\/image6.png?w=1024&resize=1024%2C743\")
<\/p>\n
In fact, Brittany O\u2019Shea wrote a blog post last year<\/a> about CodeQL queries that implement the standards, CERT C++ and AUTOSAR C++.<\/p>\nBut what if you\u2019re already using some security scanning tools? Not to worry\u2014code scanning integrates with third-party tools, as long as they support the SARIF output format<\/a>.<\/p>\nDepending on secure packages<\/span><\/a><\/h3>\nThe software that you ship isn\u2019t made of just the code you and your team have written. Open source software is increasingly being used, to build on the work of the wider community, rather than reinventing the wheel.<\/p>\n
But now for the important question. How can you be sure that you\u2019re not relying upon a vulnerable dependency in the software that you\u2019re shipping? The answer isn\u2019t to stop relying on open source. Instead, it\u2019s about adopting open source software in a way that you are in control. This includes creating an Open Source Program Office (OSPO)<\/a> in your organization to help manage your open source usage.<\/p>\nGitHub has tools available to help you keep your dependencies up to date. Let\u2019s talk about Dependabot<\/strong> and dependency review<\/strong>.<\/p>\nDependabot is our handy tool to help you keep your dependencies up to date. Dependabot is able to identify if you are already using a package that contains a vulnerability. If you are using an insecure dependency, then it will privately alert you in your repository. This means you can take the appropriate action to expedite fixes and ensure your code is patched with the latest version. You can even directly open a pull request based upon the alert to expedite your fixes.<\/p>\n
But Dependabot can help even further, by keeping your dependency versions proactively up to date. By tracking the contents of supported package manifests (such as Maven, pip, and others)<\/a>, it can open pull requests when more recent package versions are available. The best bit? As it\u2019s a pull request, all of your quality checks must still be met! That includes any automated checks (more on those in a bit), and manual approvals must be met, before the changes can be merged.<\/p>\n![\"Screenshot](\"https:\/\/github.blog\/wp-content\/uploads\/2023\/03\/image1-3.png?w=717&resize=717%2C529\")
<\/p>\n
While Dependabot primarily works on manifests that are already being used in production, what can you do to add guardrails to your quality assurance process? GitHub Advanced Security\u2019s dependency review capability<\/a> can help there.<\/p>\n![\"Screenshot](\"https:\/\/github.blog\/wp-content\/uploads\/2023\/03\/image2-2.png?w=1000&resize=1000%2C464\")
<\/p>\n
The Dependency Review GitHub Action<\/a> is used in a pull request to scan for dependency changes. If a new vulnerability is detected (such as introducing a new package, or adjusting an existing package to a vulnerable version), then an error is raised by the GitHub Action, preventing the pull request from being merged.<\/p>\nKeeping secrets out of the equation<\/span><\/a><\/h3>\nAccording to the IBM \u201cCost of a Data Breach 2022\u201d report<\/a>, exposed secrets and credentials are the most common cause of data breaches and often go untracked. Storing secrets in source control is an anti-pattern and can be problematic in scenarios where you\u2019re shipping software that is accessible to anyone. Think of software being shipped to untrusted hardware devices, such as a lift (or elevator), a car, manufacturing production line equipment or an Internet of Things (IoT) device. Malicious actors may be able to get access to the software running on the device, gain access to any credentials stored locally, and use these secret materials for a breach.<\/p>\n![\"Screenshot](\"https:\/\/github.blog\/wp-content\/uploads\/2023\/03\/image3-2.png?w=676&resize=676%2C241\")
<\/p>\n
Fortunately, GitHub\u2019s secret scanning<\/a> capability can help. It can scan for hundreds of partner patterns<\/a>, and allows you to even define your own custom patterns<\/a>, too. This works well for retrospective scans of your codebase. Buthow do you prevent it from ever entering production? This is where secret scanning push protection<\/a> comes in, which was recently updated to also identify custom patterns<\/a>.<\/p>\nStay in the know<\/span><\/a><\/h3>\nOne of the main challenges from a security perspective is knowing where the weak points may be. As software engineers and engineering leads, we\u2019re typically working in the scope of a project. However, our colleagues in security typically focus on the security posture of the overall organization. For them, it\u2019s important to understand which repositories contain vulnerable code or packages, or whether secrets have been committed into those repositories.<\/p>\n
We know that monitoring and observing these metrics is important, so we provide a security overview in GitHub Enterprise Cloud<\/a>. This visualizes the results from GitHub Advanced Security, so that you have an all-up view of your current coverage and risk areas.<\/p>\n![\"Screenshot](\"https:\/\/github.blog\/wp-content\/uploads\/2023\/03\/image4-2.png?w=1000&resize=1000%2C566\")
<\/p>\n
![\"Screenshot](\"https:\/\/github.blog\/wp-content\/uploads\/2023\/03\/image5-1.png?w=1000&resize=1000%2C531\")
<\/p>\n
If you have invested in security information and event management (SIEM) tooling, then you\u2019ll be pleased to know that there are integrations available with several providers<\/a> to further aid your management and monitoring needs.<\/p>\nEmpowering developers with automation<\/span><\/a><\/h2>\nWe\u2019ve mentioned that these types of software can be critical, so safeguards and controls should be in place. But to empower your developers, you need to give them access to tools to get the job done. That includes the ability to easily build, test, and deploy your software.<\/p>\n
Building on the earlier themes, you can use GitHub branch protection rules<\/a> to ensure certain standards are met before code is ever allowed to be merged into your production codebase. Earlier, we talked about peer reviews and collaboration. But what about using automation to help accelerate the process?<\/p>\nThis is where GitHub Actions<\/a> comes in. GitHub Actions is our CI\/CD solution<\/a> that allows you to automate your software workflows. You can use GitHub Actions in the development lifecycle of your embedded systems to:<\/p>\n\n- Easily share common build and deployment patterns across your engineering teams using reusable workflows<\/a>.<\/li>\n
- Cross-compile across different hardware platforms with GitHub Action\u2019s matrix capabilities<\/a>, or with Arm development tools inside GitHub Actions<\/a> cloud-hosted runners. <\/li>\n
- Automatically build and test software as part of your continuous integration process. In your pull requests, ensure that a successful build takes place, and tests are successful before merging to production.<\/li>\n
- Automatically package and deploy updated firmware images efficiently, so that they are available to end-users timely and efficiently.<\/li>\n
- Automatically deploy firmware updates to embedded systems, by orchestrating updates and releases as part of your CD process. <\/li>\n<\/ul>\n
Continue your journey with GitHub<\/span><\/a><\/h2>\nThis has been a high-level overview of GitHub, and how it can help from an embedded software perspective. With our collaborative platform to empower developer productivity and enable secure development, we\u2019re sure there are many scenarios where GitHub can help you even further.<\/p>\n
These few bullet points highlight how version control is vital to developing these critical systems. With a detailed set of historical changes, the ability to add quality gates with branch protection rules and mandatory peer-reviews via pull requests, compliance suddenly becomes part of the process, as opposed to an afterthought or some additional set of boxes to check.<\/p>\n
Security in everything that you do<\/span><\/a><\/h2>\nThink about these types of systems from a security perspective. What happens if someone was able to take over a set of embedded computers in a vehicle? The impact of this would depend on which specific systems, but could potentially be catastrophic. For safety systems, then it could potentially lead to loss of life.<\/p>\n
With that context, security, understandably, should be a high priority for development teams making these critical systems. At GitHub, we believe that security is everyone\u2019s responsibility, and should not be an afterthought, or a one-time review before go-live. Instead, it\u2019s something which can, and should, be incorporated into the development workflow. Just like compliance in the above section, it\u2019s something that becomes a part of what you do every day.<\/p>\n
GitHub has several tools that can help you to bring security into your workflow. Let\u2019s explore some of them a little further.<\/p>\n
Securing the code that you write<\/span><\/a><\/h3>\nOne of your first concerns may be the code that you write. We are human, and we are not perfect, so we don\u2019t always write perfect code. Earlier, we talked about branch protection rules as an option to add quality checks into our development lifecycle. What if we could add security as one of those quality checks, and review the code that we have written?<\/p>\n
This is where GitHub code scanning capabilities come in. You can think of this from two perspectives; CodeQL<\/a> (GitHub\u2019s built-in code analysis engine that powers code scanning) and third-party integrations<\/a>.<\/p>\nCodeQL supports several languages, including C, C++, Java, and Python<\/a>; all common languages when building embedded systems. CodeQL is able to translate your code into a database-like structure. You\u2019re then able to use a number of queries made by GitHub out-of-the-box, and can expand these with queries from the open source community to identify patterns that occur in your codebase, such as injection or buffer overflow vulnerabilities.<\/p>\nA CodeQL scan can be executed as part of the pull request flow that we mentioned earlier. So, security now becomes another check as part of your quality assurance process, before merging code into your production codebase.<\/p>\n
<\/p>\n
In fact, Brittany O\u2019Shea wrote a blog post last year<\/a> about CodeQL queries that implement the standards, CERT C++ and AUTOSAR C++.<\/p>\nBut what if you\u2019re already using some security scanning tools? Not to worry\u2014code scanning integrates with third-party tools, as long as they support the SARIF output format<\/a>.<\/p>\nDepending on secure packages<\/span><\/a><\/h3>\nThe software that you ship isn\u2019t made of just the code you and your team have written. Open source software is increasingly being used, to build on the work of the wider community, rather than reinventing the wheel.<\/p>\n
But now for the important question. How can you be sure that you\u2019re not relying upon a vulnerable dependency in the software that you\u2019re shipping? The answer isn\u2019t to stop relying on open source. Instead, it\u2019s about adopting open source software in a way that you are in control. This includes creating an Open Source Program Office (OSPO)<\/a> in your organization to help manage your open source usage.<\/p>\nGitHub has tools available to help you keep your dependencies up to date. Let\u2019s talk about Dependabot<\/strong> and dependency review<\/strong>.<\/p>\nDependabot is our handy tool to help you keep your dependencies up to date. Dependabot is able to identify if you are already using a package that contains a vulnerability. If you are using an insecure dependency, then it will privately alert you in your repository. This means you can take the appropriate action to expedite fixes and ensure your code is patched with the latest version. You can even directly open a pull request based upon the alert to expedite your fixes.<\/p>\n
But Dependabot can help even further, by keeping your dependency versions proactively up to date. By tracking the contents of supported package manifests (such as Maven, pip, and others)<\/a>, it can open pull requests when more recent package versions are available. The best bit? As it\u2019s a pull request, all of your quality checks must still be met! That includes any automated checks (more on those in a bit), and manual approvals must be met, before the changes can be merged.<\/p>\n<\/p>\n
While Dependabot primarily works on manifests that are already being used in production, what can you do to add guardrails to your quality assurance process? GitHub Advanced Security\u2019s dependency review capability<\/a> can help there.<\/p>\n<\/p>\n
The Dependency Review GitHub Action<\/a> is used in a pull request to scan for dependency changes. If a new vulnerability is detected (such as introducing a new package, or adjusting an existing package to a vulnerable version), then an error is raised by the GitHub Action, preventing the pull request from being merged.<\/p>\nKeeping secrets out of the equation<\/span><\/a><\/h3>\nAccording to the IBM \u201cCost of a Data Breach 2022\u201d report<\/a>, exposed secrets and credentials are the most common cause of data breaches and often go untracked. Storing secrets in source control is an anti-pattern and can be problematic in scenarios where you\u2019re shipping software that is accessible to anyone. Think of software being shipped to untrusted hardware devices, such as a lift (or elevator), a car, manufacturing production line equipment or an Internet of Things (IoT) device. Malicious actors may be able to get access to the software running on the device, gain access to any credentials stored locally, and use these secret materials for a breach.<\/p>\n<\/p>\n
Fortunately, GitHub\u2019s secret scanning<\/a> capability can help. It can scan for hundreds of partner patterns<\/a>, and allows you to even define your own custom patterns<\/a>, too. This works well for retrospective scans of your codebase. Buthow do you prevent it from ever entering production? This is where secret scanning push protection<\/a> comes in, which was recently updated to also identify custom patterns<\/a>.<\/p>\nStay in the know<\/span><\/a><\/h3>\nOne of the main challenges from a security perspective is knowing where the weak points may be. As software engineers and engineering leads, we\u2019re typically working in the scope of a project. However, our colleagues in security typically focus on the security posture of the overall organization. For them, it\u2019s important to understand which repositories contain vulnerable code or packages, or whether secrets have been committed into those repositories.<\/p>\n
We know that monitoring and observing these metrics is important, so we provide a security overview in GitHub Enterprise Cloud<\/a>. This visualizes the results from GitHub Advanced Security, so that you have an all-up view of your current coverage and risk areas.<\/p>\n<\/p>\n
<\/p>\n
If you have invested in security information and event management (SIEM) tooling, then you\u2019ll be pleased to know that there are integrations available with several providers<\/a> to further aid your management and monitoring needs.<\/p>\nEmpowering developers with automation<\/span><\/a><\/h2>\nWe\u2019ve mentioned that these types of software can be critical, so safeguards and controls should be in place. But to empower your developers, you need to give them access to tools to get the job done. That includes the ability to easily build, test, and deploy your software.<\/p>\n
Building on the earlier themes, you can use GitHub branch protection rules<\/a> to ensure certain standards are met before code is ever allowed to be merged into your production codebase. Earlier, we talked about peer reviews and collaboration. But what about using automation to help accelerate the process?<\/p>\nThis is where GitHub Actions<\/a> comes in. GitHub Actions is our CI\/CD solution<\/a> that allows you to automate your software workflows. You can use GitHub Actions in the development lifecycle of your embedded systems to:<\/p>\n\n- Easily share common build and deployment patterns across your engineering teams using reusable workflows<\/a>.<\/li>\n
- Cross-compile across different hardware platforms with GitHub Action\u2019s matrix capabilities<\/a>, or with Arm development tools inside GitHub Actions<\/a> cloud-hosted runners. <\/li>\n
- Automatically build and test software as part of your continuous integration process. In your pull requests, ensure that a successful build takes place, and tests are successful before merging to production.<\/li>\n
- Automatically package and deploy updated firmware images efficiently, so that they are available to end-users timely and efficiently.<\/li>\n
- Automatically deploy firmware updates to embedded systems, by orchestrating updates and releases as part of your CD process. <\/li>\n<\/ul>\n
Continue your journey with GitHub<\/span><\/a><\/h2>\nThis has been a high-level overview of GitHub, and how it can help from an embedded software perspective. With our collaborative platform to empower developer productivity and enable secure development, we\u2019re sure there are many scenarios where GitHub can help you even further.<\/p>\n
One of your first concerns may be the code that you write. We are human, and we are not perfect, so we don\u2019t always write perfect code. Earlier, we talked about branch protection rules as an option to add quality checks into our development lifecycle. What if we could add security as one of those quality checks, and review the code that we have written?<\/p>\n
This is where GitHub code scanning capabilities come in. You can think of this from two perspectives; CodeQL<\/a> (GitHub\u2019s built-in code analysis engine that powers code scanning) and third-party integrations<\/a>.<\/p>\n CodeQL supports several languages, including C, C++, Java, and Python<\/a>; all common languages when building embedded systems. CodeQL is able to translate your code into a database-like structure. You\u2019re then able to use a number of queries made by GitHub out-of-the-box, and can expand these with queries from the open source community to identify patterns that occur in your codebase, such as injection or buffer overflow vulnerabilities.<\/p>\n A CodeQL scan can be executed as part of the pull request flow that we mentioned earlier. So, security now becomes another check as part of your quality assurance process, before merging code into your production codebase.<\/p>\n In fact, Brittany O\u2019Shea wrote a blog post last year<\/a> about CodeQL queries that implement the standards, CERT C++ and AUTOSAR C++.<\/p>\n But what if you\u2019re already using some security scanning tools? Not to worry\u2014code scanning integrates with third-party tools, as long as they support the SARIF output format<\/a>.<\/p>\n The software that you ship isn\u2019t made of just the code you and your team have written. Open source software is increasingly being used, to build on the work of the wider community, rather than reinventing the wheel.<\/p>\n But now for the important question. How can you be sure that you\u2019re not relying upon a vulnerable dependency in the software that you\u2019re shipping? The answer isn\u2019t to stop relying on open source. Instead, it\u2019s about adopting open source software in a way that you are in control. This includes creating an Open Source Program Office (OSPO)<\/a> in your organization to help manage your open source usage.<\/p>\n GitHub has tools available to help you keep your dependencies up to date. Let\u2019s talk about Dependabot<\/strong> and dependency review<\/strong>.<\/p>\n Dependabot is our handy tool to help you keep your dependencies up to date. Dependabot is able to identify if you are already using a package that contains a vulnerability. If you are using an insecure dependency, then it will privately alert you in your repository. This means you can take the appropriate action to expedite fixes and ensure your code is patched with the latest version. You can even directly open a pull request based upon the alert to expedite your fixes.<\/p>\n But Dependabot can help even further, by keeping your dependency versions proactively up to date. By tracking the contents of supported package manifests (such as Maven, pip, and others)<\/a>, it can open pull requests when more recent package versions are available. The best bit? As it\u2019s a pull request, all of your quality checks must still be met! That includes any automated checks (more on those in a bit), and manual approvals must be met, before the changes can be merged.<\/p>\n While Dependabot primarily works on manifests that are already being used in production, what can you do to add guardrails to your quality assurance process? GitHub Advanced Security\u2019s dependency review capability<\/a> can help there.<\/p>\n The Dependency Review GitHub Action<\/a> is used in a pull request to scan for dependency changes. If a new vulnerability is detected (such as introducing a new package, or adjusting an existing package to a vulnerable version), then an error is raised by the GitHub Action, preventing the pull request from being merged.<\/p>\n According to the IBM \u201cCost of a Data Breach 2022\u201d report<\/a>, exposed secrets and credentials are the most common cause of data breaches and often go untracked. Storing secrets in source control is an anti-pattern and can be problematic in scenarios where you\u2019re shipping software that is accessible to anyone. Think of software being shipped to untrusted hardware devices, such as a lift (or elevator), a car, manufacturing production line equipment or an Internet of Things (IoT) device. Malicious actors may be able to get access to the software running on the device, gain access to any credentials stored locally, and use these secret materials for a breach.<\/p>\n Fortunately, GitHub\u2019s secret scanning<\/a> capability can help. It can scan for hundreds of partner patterns<\/a>, and allows you to even define your own custom patterns<\/a>, too. This works well for retrospective scans of your codebase. Buthow do you prevent it from ever entering production? This is where secret scanning push protection<\/a> comes in, which was recently updated to also identify custom patterns<\/a>.<\/p>\n One of the main challenges from a security perspective is knowing where the weak points may be. As software engineers and engineering leads, we\u2019re typically working in the scope of a project. However, our colleagues in security typically focus on the security posture of the overall organization. For them, it\u2019s important to understand which repositories contain vulnerable code or packages, or whether secrets have been committed into those repositories.<\/p>\n We know that monitoring and observing these metrics is important, so we provide a security overview in GitHub Enterprise Cloud<\/a>. This visualizes the results from GitHub Advanced Security, so that you have an all-up view of your current coverage and risk areas.<\/p>\n If you have invested in security information and event management (SIEM) tooling, then you\u2019ll be pleased to know that there are integrations available with several providers<\/a> to further aid your management and monitoring needs.<\/p>\n We\u2019ve mentioned that these types of software can be critical, so safeguards and controls should be in place. But to empower your developers, you need to give them access to tools to get the job done. That includes the ability to easily build, test, and deploy your software.<\/p>\n Building on the earlier themes, you can use GitHub branch protection rules<\/a> to ensure certain standards are met before code is ever allowed to be merged into your production codebase. Earlier, we talked about peer reviews and collaboration. But what about using automation to help accelerate the process?<\/p>\n This is where GitHub Actions<\/a> comes in. GitHub Actions is our CI\/CD solution<\/a> that allows you to automate your software workflows. You can use GitHub Actions in the development lifecycle of your embedded systems to:<\/p>\n This has been a high-level overview of GitHub, and how it can help from an embedded software perspective. With our collaborative platform to empower developer productivity and enable secure development, we\u2019re sure there are many scenarios where GitHub can help you even further.<\/p>\n<\/p>\nDepending on secure packages<\/span><\/a><\/h3>\n
<\/p>\n<\/p>\nKeeping secrets out of the equation<\/span><\/a><\/h3>\n
<\/p>\nStay in the know<\/span><\/a><\/h3>\n
<\/p>\n<\/p>\nEmpowering developers with automation<\/span><\/a><\/h2>\n
\n
Continue your journey with GitHub<\/span><\/a><\/h2>\n