This action utilizes Salus from Coinbase to run SAST and dependency scans.
Name | Language |
---|---|
Bundle Audit | Ruby |
Brakeman | Ruby |
npm audit | JavaScript |
yarn audit | JavaScript |
Gosec | Go |
Bandit | Python |
Cargo Audit | Rust |
semgrep | Many |
PatternSearch | n/a (uses Sift) |
.github/workflows/example.yml
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/[email protected]
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/[email protected]
with:
active_scanners: "\n - Brakeman"
enforced_scanners: "\n - Brakeman"
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/[email protected]
with:
enforced_scanners: "none"
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/[email protected]
env:
SALUS_CONFIGURATION: "file://../salus-configuration.yaml file://config/pattern_search.yaml"
attribute | description | default | options |
---|---|---|---|
active_scanners | Scanners to run | all | Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec |
enforced_scanners | Scanners that block builds | all | Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec |
report_uri | Where to send Salus reports | file://salus-report.json | Any URI |
report_format | What format to use for report | json | json, yaml, txt |
report_verbosity | Whether to enable a verbose report | true | true, false |
salus_configuration | Where to find Salus configuration | file://../salus-configuration.yaml | Any URI |
Note: active_scanners and enforced_scanners must be yaml formatted for Salus configuration file.
None.
Stored in custom_info of a Salus scan.
Key | Github Variable | Description |
---|---|---|
sha1 | GITHUB_SHA | Hash of last commit in build |
reponame | GITHUB_REPOSITORY | Name of repository |
ref | GITHUB_REF | Ref that triggered flow (branch or tag) |
ci_username | GITHUB_ACTOR | Github username of user who triggered build |
github_action | GITHUB_ACTION | Name of the action |
github_workflow | GITHUB_WORKFLOW | Name of the workflow |
github_event_name | GITHUB_EVENT_NAME | Name of the event that triggered workflow |
github_event_path | GITHUB_EVENT_PATH | Path of event payload |
github_workspace | GITHUB_WORKSPACE | Workspace directory path |
github_head_ref | GITHUB_HEAD_REF | Ref of the head repository, if forked |
github_base_ref | GITHUB_BASE_REF | Ref of the base repository, if forked |
github_home | HOME | Path to home directory used by Github |