super-sast-action

This GitHub Action runs Super SAST, a docker image that runs several SAST checks on your code, and annotates the interested lines with the reported issues.

Super SAST repository can be checked here for a better understanding of how it works. This action implements all the tools also used by Super SAST. The version used of Super SAST container is fixed, now is:

FROM ghcr.io/par-tec/super-sast:20231115-108-746a559 as super-sast

Currently, four tools supports annotations:

Bandit
Safety
Checkov
Semgrep

Warning

If you want to enable annotations in your Pull request, you must add a token in the inputs of the action, like this:

- name: super-sast-action
      uses: DrPlumcake/super-sast-action@v1.0
      with:
        # [...]
        repo_token: ${{ secrets.GITHUB_TOKEN }}

Otherwise, the action will fail and the requests will return an error for failing the authentication.

Screenshots

The action is run in the workflow:

The interested LoC are shown in the PR

Usage

To add this Github action to your repository you can either run it copying it under your repo or via the Github Action Marketplace, eg:

name: Security check - super-sast-action

on: push

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        os: [ ubuntu-latest ]
    name: Ubuntu - ${{ matrix.os }} 

    steps:
    - uses: actions/checkout@v2

    - name: Security check - super-sast-action
      uses: DrPlumcake/super-sast-action@v1.0
      with:
        project_path: .
        ignore_failure: true
        repo_token: ${{ secrets.GITHUB_TOKEN }}

    # This is optional
    - name: Security check artifacts
      uses: actions/upload-artifact@v1
      with:
        name: Security report - super sast
        path: |
          super-sast.log
          log_dir/

Getting Started

You can include the action in your workflow to trigger on any event that GitHub actions supports. If the remote branch that you wish to deploy to doesn't already exist the action will create it for you. Your workflow will also need to include the actions/checkout step before this workflow runs in order for the deployment to work.

If you'd like to make it so the workflow only triggers on push events to specific branches then you can modify the on section.

on:
  push:
    branches:
      - master

Configuration

The with portion of the workflow must be configured before the action will work. You can add these in the with section found in the examples above. Any secrets must be referenced using the bracket syntax and stored in the GitHub repositories Settings/Secrets menu. You can learn more about setting environment variables with GitHub actions here.

Contributing

Contributions are always welcome!

This project uses pre-commit to manage git hooks. To install the hooks, run:

pre-commit install

Pre-commit will generate a CycloneDX SBOM using trivy.

To test the image, run:

docker-compose up --build test

To test the remote image (latest), run:

docker-compose up --build test-latest

Name		Name	Last commit message	Last commit date
Latest commit History 157 Commits
.github		.github
assets		assets
parse_scripts		parse_scripts
tests		tests
.bandit.yaml		.bandit.yaml
.dockerfile-security.rego		.dockerfile-security.rego
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.semgrepignore		.semgrepignore
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
action.yml		action.yml
docker-compose.yaml		docker-compose.yaml
entrypoint.sh		entrypoint.sh
main.py		main.py
request.py		request.py
requirements-dev.txt		requirements-dev.txt
requirements.txt		requirements.txt
sast_to_log.py		sast_to_log.py
security_report.txt		security_report.txt
tox.ini		tox.ini

License

DrPlumcake/super-sast-action

Folders and files

Latest commit

History

Repository files navigation

super-sast-action

Warning

Screenshots

Usage

Getting Started

Configuration

Contributing

License

About

Resources

License

Stars

Watchers

Forks

Languages