This Action provides comprehensive security coverage for your entire GitHub project workflow! This is the SecureStack kitchen sink and combines 3 different GitHub Actions into one awesome Action to rule them all! When you add this Action to your repository it will:
- Analyze source code for sensitive data like API keys, database credentials, passwords, etc
- Analyze source code for any vulnerable third-party or open source libraries with our software composition analysis
- If your app is running in the public cloud we'll analyze it for cloud misconfigurations and inseure settings
- If your app has a public URL endpoint we will scan the public URL with our web vulnerability scanner
- Finally, we will build a SBOM for your application
name: Example Workflow Using SecureStack All-In-One Action
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout repo for running secrets analysis within workflow
id: checkout
uses: actions/checkout@v2.4.0
with:
fetch-depth: 0
- name: Secrets Analysis Step
id: secrets
uses: SecureStackCo/actions-secrets@v0.1.3
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
severity: critical
flags: '-d 1'
- name: Code Analysis Step
id: code
uses: SecureStackCo/actions-code@v0.1.1
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
severity: critical
language: node
- name: Exposure Analysis Step
id: exposure
uses: SecureStackCo/actions-exposure@v0.1.3
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
severity: critical
flags: '--dom -r'
- name: Create SBOM
id: sbom
uses: SecureStackCo/actions-sbom@v0.1.1
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
severity: critical
NOTE - to understand possible values for the action input flags, run the SecureStack cli locally:
$ bloodhound-cli --help
- Log in to SecureStack with your GitHub credentials.
- Go to Settings in the lower left corner, and then select the 6th tab: API.
- Generate a new API key and copy the value.
- Now back in GitHub, go to Settings for your GitHub repository and click on Secrets, and then Actions at the bottom left.
- Create a new secret named SECURESTACK_API_KEY and paste the value from step 2 into the field and click "Add secret".
- Log in to SecureStack.
- In the application drop down at the top left choose the application you want to use and click on "Copy Application ID"
- Create a new secret named SECURESTACK_APP_ID and paste the value from step 2 into the field and click "Add secret".
- When completed the two GitHub Secrets should look like this
Coming soon!
- SecureStack Software Composition Analysis (SCA) - Scan your application for vulnerable third-party and open source libraries.
- SecureStack Secret Scanning - Scan your application for embedded api keys, credentials and senstive data.
- SecureStack Web Vulnerability & Cloud Misconfiguration Analysis - Scan your running application url for cloud misconfigurations and web vulnerabilities.
- SecureStack Log4j Analysis - Scan your application for Log4j/Log4Shell vulnerabilities.
- SecureStack SBOM - Create a software bill of materials (SBOM) for your application.
- Or, our All-in-One GitHub Action - We've put all of our actions together into one "Action to rule them ALL"!
Made with 💜 by SecureStack