Skip to content

Github Action for security scanning utilizing Salus by Coinbase

Notifications You must be signed in to change notification settings

federacy/scan-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Salus Security Scan Action

This action utilizes Salus from Coinbase to run SAST and dependency scans.

Scanners supported

Name Language
Bundle Audit Ruby
Brakeman Ruby
npm audit JavaScript
yarn audit JavaScript
Gosec Go
Bandit Python
Cargo Audit Rust
semgrep Many
PatternSearch n/a (uses Sift)

Example usage

.github/workflows/example.yml

Defaults

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]

Single scanner

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]
      with:
          active_scanners: "\n  - Brakeman"
          enforced_scanners: "\n  - Brakeman"

No enforced scanners

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]
      with:
          enforced_scanners: "none"

Custom configuration

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/[email protected]
      env:
        SALUS_CONFIGURATION: "file://../salus-configuration.yaml file://config/pattern_search.yaml"

Inputs

attribute description default options
active_scanners Scanners to run all Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec
enforced_scanners Scanners that block builds all Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec
report_uri Where to send Salus reports file://salus-report.json Any URI
report_format What format to use for report json json, yaml, txt
report_verbosity Whether to enable a verbose report true true, false
salus_configuration Where to find Salus configuration file://../salus-configuration.yaml Any URI

Note: active_scanners and enforced_scanners must be yaml formatted for Salus configuration file.

Outputs

None.

Github Environment Variables

Stored in custom_info of a Salus scan.

Key Github Variable Description
sha1 GITHUB_SHA Hash of last commit in build
reponame GITHUB_REPOSITORY Name of repository
ref GITHUB_REF Ref that triggered flow (branch or tag)
ci_username GITHUB_ACTOR Github username of user who triggered build
github_action GITHUB_ACTION Name of the action
github_workflow GITHUB_WORKFLOW Name of the workflow
github_event_name GITHUB_EVENT_NAME Name of the event that triggered workflow
github_event_path GITHUB_EVENT_PATH Path of event payload
github_workspace GITHUB_WORKSPACE Workspace directory path
github_head_ref GITHUB_HEAD_REF Ref of the head repository, if forked
github_base_ref GITHUB_BASE_REF Ref of the base repository, if forked
github_home HOME Path to home directory used by Github

Contributors

Chris Czub
Andre Azzolini
Quentin Le Sceller