StackSpot AI Security Action POC
This action identify vulnerabilities (SAST check) using StackSpot AI Remote Quick Command concept.
It returns a list of vulnerabilities for each file, following the structure below:
[
{
"title": "<TITLE>",
"severiity": "<SEVERITY>",
"correction": "<CORRECTION>",
"lines": "<LINES>"
}
]
Note: This action solely identifies files that have changed for events such as pull_request*, push, merge_group, release, etc (potentially the same events referred here). However, it doesn't detect pending uncommitted changes created during the workflow execution.
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: # mandatory to add comment on PR
issues: write
pull-requests: write
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: GuillaumeFalourd/stackspot-ai-security-action-poc@main
id: run
with:
CLIENT_ID: ${{ secrets.CLIENT_ID }}
CLIENT_KEY: ${{ secrets.CLIENT_KEY }}
CLIENT_REALM: stackspot
QC_SLUG: sast-rqc
Field | Mandatory | Default Value | Observation |
---|---|---|---|
CLIENT_ID | YES | N/A | StackSpot Client ID. |
CLIENT_KEY | YES | N/A | StackSpot Client KEY. |
CLIENT_REALM | YES | N/A | StackSpot Client Realm. |
QC_SLUG | YES | N/A | StackSpot Remote Quick Command reference |
![Screenshot 2024-07-11 at 08 20 09](https://private-user-images.githubusercontent.com/22433243/347797013-04487d1a-ba30-4c31-a78b-8df0e24395b4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE0NTY1NTMsIm5iZiI6MTcyMTQ1NjI1MywicGF0aCI6Ii8yMjQzMzI0My8zNDc3OTcwMTMtMDQ0ODdkMWEtYmEzMC00YzMxLWE3OGItOGRmMGUyNDM5NWI0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDA2MTczM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTcyMzYxNGQ1NjJkNzcxMjRlOWE5NDg2MjczZGE2YzZhMzhiNjg3NGIyN2QyOGQ5Yjk1NDQzMzZlNjJkOTlkYzMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.G1j3E8GgxmztWH49DmIqeetAArpO-ZYAZ6f2ACvJEqE)
TODO
- DAST RQC.
- Add comment on PR.
- Generate vulnerability report (example)
- Add an action configuration file.
To run any StackSpot AI remote quick command, please check https://github.com/GuillaumeFalourd/stackspot-ai-rqc.