federacy / scan-action Goto Github PK

View Code? Open in Web Editor NEW

11.0 2.0 6.0 11 KB

Github Action for security scanning utilizing Salus by Coinbase

Dockerfile 8.87% Shell 91.13%

salus security-scanning security github-actions continuous-integration sast dependency-scanning static-analysis

scan-action's Introduction

Salus Security Scan Action

This action utilizes Salus from Coinbase to run SAST and dependency scans.

Scanners supported

Name	Language
Bundle Audit	Ruby
Brakeman	Ruby
npm audit	JavaScript
yarn audit	JavaScript
Gosec	Go
Bandit	Python
Cargo Audit	Rust
semgrep	Many
PatternSearch	n/a (uses Sift)

Example usage

.github/workflows/example.yml

Defaults

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]

Single scanner

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]
      with:
          active_scanners: "\n  - Brakeman"
          enforced_scanners: "\n  - Brakeman"

No enforced scanners

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]
      with:
          enforced_scanners: "none"

Custom configuration

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]
      env:
        SALUS_CONFIGURATION: "file://../salus-configuration.yaml file://config/pattern_search.yaml"

Inputs

attribute	description	default	options
active_scanners	Scanners to run	all	Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec
enforced_scanners	Scanners that block builds	all	Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec
report_uri	Where to send Salus reports	file://salus-report.json	Any URI
report_format	What format to use for report	json	json, yaml, txt
report_verbosity	Whether to enable a verbose report	true	true, false
salus_configuration	Where to find Salus configuration	file://../salus-configuration.yaml	Any URI

Note: active_scanners and enforced_scanners must be yaml formatted for Salus configuration file.

Outputs

None.

Github Environment Variables

Stored in custom_info of a Salus scan.

Key	Github Variable	Description
sha1	GITHUB_SHA	Hash of last commit in build
reponame	GITHUB_REPOSITORY	Name of repository
ref	GITHUB_REF	Ref that triggered flow (branch or tag)
ci_username	GITHUB_ACTOR	Github username of user who triggered build
github_action	GITHUB_ACTION	Name of the action
github_workflow	GITHUB_WORKFLOW	Name of the workflow
github_event_name	GITHUB_EVENT_NAME	Name of the event that triggered workflow
github_event_path	GITHUB_EVENT_PATH	Path of event payload
github_workspace	GITHUB_WORKSPACE	Workspace directory path
github_head_ref	GITHUB_HEAD_REF	Ref of the head repository, if forked
github_base_ref	GITHUB_BASE_REF	Ref of the base repository, if forked
github_home	HOME	Path to home directory used by Github

Contributors

Chris Czub
Andre Azzolini
Quentin Le Sceller

scan-action's People

Contributors

Stargazers

Watchers

Forkers

sajibekanti freight-trust doppleruniversity escaluis quentinlesceller

scan-action's Issues

How to Setup Scan Action for Private Repository Dependency

Hi everyone,

I'm trying to use Saulus on my repository. However since the go repo rely on another private repository I'm getting error such as:

{
[187](https://github.com/PRIVATEREPO/runs/6010499370?check_suite_focus=true#step:5:187)
  				"line": 12,
[188](https://github.com/REPO/runs/6010499370?check_suite_focus=true#step:5:188)
  				"column": 2,
[189](https://github.com/PRIVATEREPO/runs/6010499370?check_suite_focus=true#step:5:189)
  				"error": "could not import github.com/PRIVATEREPO/server (invalid package name: \"\
[190](https://github.com/PRIVATEREPO/runs/6010499370?check_suite_focus=true#step:5:190)
  ")"

Is there a way to set up setup that such that Gosec passes? Something like:

      - name: Configure git for private modules
        env:
          TOKEN: ${{ secrets.GH_TOKEN }}
        run: git config --global url."https://USER:${TOKEN}@github.com".insteadOf "https://github.com"

Thank you.

Salus crashing due to lack of `cargo-audit`

Linking for visibility: coinbase/salus#828

Salus failing after recent release

Around 2 weeks ago, all scan-action runs started failing. It appears related to the release of either Salus 2.10.15 or 2.10.16. The GitHub Action displays this error:

bundler: failed to load command: /home/bin/salus (/home/bin/salus)
Errno::ENOENT: No such file or directory - bandit
  /usr/local/lib/ruby/2.7.0/open3.rb:213:in `spawn'
  /usr/local/lib/ruby/2.7.0/open3.rb:213:in `popen_run'
  /usr/local/lib/ruby/2.7.0/open3.rb:101:in `popen3'
  /usr/local/lib/ruby/2.7.0/open3.rb:281:in `capture3'
  /home/lib/salus/scanners/base.rb:100:in `run_shell'
  /home/lib/salus/scanners/bandit.rb:66:in `version'
  /home/lib/salus/scanners/base.rb:25:in `initialize'
  /home/lib/salus/processor.rb:76:in `new'
  /home/lib/salus/processor.rb:76:in `block (2 levels) in scan_project'
  /home/lib/salus/processor.rb:73:in `each'
  /home/lib/salus/processor.rb:73:in `block in scan_project'
  /home/lib/salus/report.rb:38:in `record'
  /home/lib/salus/processor.rb:68:in `scan_project'
  /home/lib/salus.rb:46:in `scan'
  /home/lib/salus/cli.rb:33:in `scan'
  /home/vendor/bundle/ruby/2.7.0/gems/thor-1.1.0/lib/thor/command.rb:27:in `run'
  /home/vendor/bundle/ruby/2.7.0/gems/thor-1.1.0/lib/thor/invocation.rb:127:in `invoke_command'
  /home/vendor/bundle/ruby/2.7.0/gems/thor-1.1.0/lib/thor.rb:392:in `dispatch'
  /home/vendor/bundle/ruby/2.7.0/gems/thor-1.1.0/lib/thor/base.rb:485:in `start'
  /home/bin/salus:8:in `<top (required)>'

Can't download version 1 of the github action

Hi,

Every time I run your action I get the following message:
Download action repository 'federacy/scan-action@v1'
##[warning]Failed to download action 'https://api.github.com/repos/federacy/scan-action/tarball/v1'. Error Response status code does not indicate success: 404 (Not Found).
##[warning]Back off 21.185 seconds before retry.
##[warning]Failed to download action 'https://api.github.com/repos/federacy/scan-action/tarball/v1'. Error Response status code does not indicate success: 404 (Not Found).
##[warning]Back off 29.538 seconds before retry.
##[error]Response status code does not indicate success: 404 (Not Found).

You can see me running it here:
https://github.com/shehackspurple/dotnetcore-webapp/runs/426644334?check_suite_focus=true

Any help would be great, thanks!

federacy / scan-action Goto Github PK

scan-action's Introduction

Salus Security Scan Action

Scanners supported

Example usage

Defaults

Single scanner

No enforced scanners

Custom configuration

Inputs

Outputs

Github Environment Variables

Contributors

scan-action's People

Contributors

Stargazers

Watchers

Forkers

scan-action's Issues

Recommend Projects

Recommend Topics

Recommend Org