Mercari simplifies its security and CI/CD with GitHub Advanced Security and Actions.
- Tokyo, Japan
- E-commerce, Fintech
- Number of Seats
- 1,400 GitHub Enterprise, 800 GitHub Advanced Security
You splurged on a nice overcoat last year, then wore it just once or twice and realized that it just wasn’t your style. Or maybe it didn’t fit. Or it wasn’t actually suited to the local weather. It was too expensive to just throw out or donate, so what do you do with it? Sell it on Mercari of course. Since their launch in 2013, the customer-to-customer shopping app has become the go-to destination for savvy sellers cleaning out their closets and budget-conscious shoppers alike.
The company continues to grow rapidly. In January 2021 they launched Souzoh, a business-to-consumer business that includes Mercari Shops, which enables retailers to build their own e-commerce stores on the Mercari platform. Mercari has also launched payment service, Merpay, a mobile payments platform accepted by more than 2.36M merchants and e-commerce sites in Japan.
GitHub, one of the few tools that spans the entire Mercari enterprise, helps developers across the organization stay aligned and collaborate as the company grows and evolves. “Mercari has grown into a significant presence in both Japan and in the United States,” Souzoh Software Engineer Ryuzo Yamamoto says. “This was only possible with GitHub.”
GitHub makes it easy for Mercari’s developers to share code internally. “Innersource is a big part of how we work,” Mr. Yamamoto says. “When employees join, they have access to most of the repositories across the company, so that any team can benefit from the work other teams have already done, or contribute improvements to code maintained by people in other parts of the company.”
Mercari is taking advantage of GitHub’s ubiquity within the company to consolidate their tooling. “One of the big benefits of using GitHub for CI/CD and security automation is that we don’t have to build, deploy, or maintain additional tools because they’re built-in to GitHub,” Mr. Yamamoto says. “That means developers can spend less time managing tools and more time writing code, which is how they’d prefer to spend their time.”
One of the big benefits of using GitHub for CI/CD and security automation is that we don’t have to build, deploy, or maintain additional tools because they’re built-in to GitHub. That means developers can spend less time managing tools and more time writing code, which is how they’d prefer to spend their time.
GitHub Advanced Security is one of the newest tools in Mercari’s toolbox. The company began using GitHub Advanced Security in June 2021 as their security team looked to tighten up their secret management processes. Previously Mercari used a secret scanning tool they built in-house by using webhooks to scan each code push. If the application detected a secret, it would send the developer a notification on Slack.
“By switching to secret scanning as part of GitHub Advanced Security, we were able to avoid having to maintain and manage that software ourselves, and can insert the notifications directly into our developers’ GitHub workflow,” Director of Product Security Nikolay Elenkov explains. “It’s easier and faster to take action on an alert now, because there are fewer steps they need to take to view and fix an issue.”
The company primarily uses Go for the backend system and TypeScript for the frontend app, but they use a variety of other languages and frameworks as well. “We have numerous active repositories right now, so it is challenging to try and cover every single technology stack,” he says. “CodeQL supports most of the languages we use.”
Elenkov says adopting GitHub Advanced Security has gone smoothly. “We haven’t seen much of a problem with false positives,” he says. When they encountered a unique situation they were able to partner with GitHub Professional Services to find a solution. “We had some trouble fetching dependencies from private repos when scanning,” Elenkov says. “But with the help of the support team we were able to get it working.”
Placing scanning into the developer workflow also makes it more effective to fix issues since developers are able to spot problems right away, when their code is still fresh in their minds, instead of days, weeks, or even months later when they might not remember the exact context of a particular bug. It also helps keep vulnerabilities and secrets out of production. “Alerting developers to the severity of specific issues helps get them resolved more quickly,” Elenkov says. “Response times depend on the teams, but we have a culture that emphasizes fixing issues quickly.”
GitHub Enterprise security tools are shifting security left for Mercari. “It’s much cheaper to fix things in development than in production, so that’s a big plus for us,” he adds. “By spotting and fixing issues before they’re deployed, we don’t need to schedule a fix or worry about whether deploying a patch will cause problems in production.”
Thanks to the ubiquity of GitHub across Mercari, the company has enabled secret scanning for the entire organization. “Adopting code scanning across the org is definitely something that GitHub makes much easier. It would have been a struggle otherwise because integrating tools into everyone’s workflow is complicated and time consuming,” Elenkov says. “Having secret scanning and CodeQL baked into the GitHub platform makes things much, much easier for us.”
Mercari is also using GitHub Actions to streamline workflows. The Souzoh team, for example, uses Actions as their primary CI/CD tool, automating everything from provisioning Go environments in the cloud to running tests and security scans. “We use quite a few Actions from the marketplace, but creating custom Actions is pretty easy,” Mr. Yamamoto says. “There are plenty of examples and documentation to get started with.”
Actions provides Mercari with the flexibility to customize solutions to fit their needs. “We do everything with self-hosted runners,” he explains. “We wanted to optimize the cache settings ourselves, and it helps us minimize secret sharing across environments.”
GitHub is also playing a role in solving Mercari’s newest challenges as it expands into the highly regulated financial services space. “GitHub Professional Services is helping us with compliance, and our needs there are only going to grow,” Mr. Yamamoto says.
GitHub is like the air we breathe. It’s such a natural part of the way we work that sometimes we don’t even notice it. We cannot imagine living without GitHub.
“GitHub is like the air we breathe,” says Mr. Yamamoto. “It’s such a natural part of the way we work that sometimes we don’t even notice it. We cannot imagine living without GitHub.”
Explore more from GitHub
What will your story be?
Start collaborating with your team on GitHub
Want to use GitHub on your own?
Check out our plans for individuals