SecDim Sandbox is a Cloud Development Environment where you can explore a real vulnerability in a cloud native app. Each Sandbox comes with a security test suit to simulate the exploitation of the vulnerability. This can help you to debug and verify if your security patch can remediate the vulnerability.
This Github Action will take a SARIF file, search SecDim Sandbox for the relevant Sandbox, and upload a new SARIF file detailing the vulnerabilities with links to the relevant SecDim Sandbox. The results can be viewed in the repository’s Security tab.
See an example of using this Github Action with Semgrep: Integrating Semgrep with SecDim Sandbox
An example YAML workflow file is also included below:
name: SecDim Sandbox Example Workflow
on:
push:
branches:
- master
pull_request:
jobs:
secdim:
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Clone repo
uses: actions/checkout@master
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: "3.7"
- name: Install Semgrep
run: pip install semgrep
- name: Run Semgrep
run: semgrep scan --config auto --sarif > findings.sarif
- name: Upload Semgrep SARIF results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: findings.sarif
category: semgrep
- name: Run SecDim Sandbox Action
uses: secdim/[email protected]
with:
input_sarif_file: findings.sarif
output_sarif_file: findings.processed.sarif
- name: Upload SecDim Sanbox SARIF results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: findings.processed.sarif
category: secdim-sandboxYour code is not send to SecDim APIs. The SARIF file rule section is parsed for relevant search terms (e.g. CWE ids), and only these search terms are queries on SecDim API. No information about the origin is sent to SecDim. To learn more, checkout SecDim Sandbox SARIF Parser repository.