diff --git a/action.yml b/action.yml index 3991881..7913ecf 100644 --- a/action.yml +++ b/action.yml @@ -1,778 +1,26 @@ -name: "Socket Basics Security Scanner"name: "Security Scan and Comment Action" - -description: "Comprehensive security scanning with SAST, secrets, container scanning, and more. Configure from Socket Dashboard (Enterprise required)."description: "Runs various open source security tools and then comments on PRs with results." - -author: "Socket Security"author: "Douglas Coburn" +name: "Socket Basics Security Scanner" +description: "Comprehensive security scanning with SAST, secrets, container scanning, and more. Configure from Socket Dashboard (Enterprise required)." +author: "Socket" runs: - -runs: using: "docker" - - using: "docker" image: "Dockerfile" - + using: "docker" image: "Dockerfile" inputs: - -inputs: github_token: - - # Socket Configuration (Required for Enterprise Features) description: "GitHub token to post comments on PRs" - - socket_org: required: true - + # Socket Configuration + socket_org: description: "Socket organization slug (required for Enterprise features)" - - required: false # PR / API overrides - - default: "" pr_number: - - socket_security_api_key: description: "Optional PR number to post comments to (overrides auto-discovery)" - - description: "Socket Security API key (required for Enterprise features and Dashboard configuration)" required: false - - required: false default: "" - - default: "" - - github_api_url: - - # GitHub Integration description: "Optional GitHub API base URL (useful for GitHub Enterprise). Maps to INPUT_GITHUB_API_URL environment variable when set." - - github_token: required: false - - description: "GitHub token for PR comments and API access" default: "" - - required: false - - default: "" # Enable Settings - - python_sast_enabled: - - # Output Configuration description: "Enable Python SAST analysis" - - console_tabular_enabled: required: false - - description: "Enable tabular console output" default: "false" - - required: false - - default: "true" golang_sast_enabled: - - console_json_enabled: description: "Enable Golang SAST analysis" - - description: "Enable JSON console output" required: false - - required: false default: "false" - - default: "false" - - verbose: javascript_sast_enabled: - - description: "Enable verbose logging" description: "Enable JavaScript SAST analysis" - - required: false required: false - - default: "false" default: "false" - - - - # SAST Configuration dockerfile_enabled: - - all_languages_enabled: description: "Enable Dockerfile analysis" - - description: "Enable SAST for all supported languages" required: false - - required: false default: "false" - - default: "false" - - all_rules_enabled: image_enabled: - - description: "Run all bundled SAST rules" description: "Enable image scanning" - - required: false required: false - - default: "false" default: "false" - - - - # Language-Specific SAST secret_scanning_enabled: - - python_sast_enabled: description: "Enable secret scanning" - - description: "Enable Python SAST" required: false - - required: false default: "false" - - default: "false" - - javascript_sast_enabled: socket_scanning_enabled: - - description: "Enable JavaScript/TypeScript SAST" description: "Enable Socket reachability scanning" - - required: false required: false - - default: "false" default: "false" - - typescript_sast_enabled: - - description: "Enable TypeScript SAST" socket_sca_enabled: - - required: false description: "Enable Socket SCA (Software Composition Analysis) scanning" - - default: "false" required: false - - go_sast_enabled: default: "false" - - description: "Enable Go SAST" - - required: false # Docker Configuration - - default: "false" docker_images: - - golang_sast_enabled: description: "Comma-separated list of Docker images to scan" - - description: "Enable Golang SAST" required: false - - required: false default: "" - - default: "false" dockerfiles: - - java_sast_enabled: description: "Comma-separated list of Dockerfiles to scan" - - description: "Enable Java SAST" required: false - - required: false default: "" - - default: "false" - - php_sast_enabled: # Trufflehog Configuration - - description: "Enable PHP SAST" trufflehog_exclude_dir: - - required: false description: "Comma-separated list of directories to exclude in Trufflehog" - - default: "false" required: false - - ruby_sast_enabled: default: "" - - description: "Enable Ruby SAST" trufflehog_rules: - - required: false description: "Rules to enable in Trufflehog" - - default: "false" required: false - - csharp_sast_enabled: default: "" - - description: "Enable C# SAST" trufflehog_show_unverified: - - required: false description: "Show unverified secrets in Trufflehog results" - - default: "false" required: false - - dotnet_sast_enabled: default: "false" - - description: "Enable .NET SAST" - - required: false # Socket Configuration - - default: "false" socket_org: - - c_sast_enabled: description: "Socket organization for reachability scanning (required if socket_scanning_enabled is true)" - - description: "Enable C SAST" required: false - - required: false default: "" - - default: "false" socket_api_key: - - cpp_sast_enabled: description: "Socket API key for authentication" - - description: "Enable C++ SAST" required: false - - required: false default: "" - - default: "false" socket_security_api_key: - - kotlin_sast_enabled: description: "Socket Security API key for SCA scanning (required if socket_sca_enabled is true)" - - description: "Enable Kotlin SAST" required: false - - required: false default: "" - - default: "false" socket_sca_files: - - scala_sast_enabled: description: "Comma-separated list of manifest files to scan (e.g., package.json,requirements.txt,go.mod)" - - description: "Enable Scala SAST" required: false - - required: false default: "" - - default: "false" - - swift_sast_enabled: # SAST configuration - - description: "Enable Swift SAST" all_languages_enabled: - - required: false description: "Enable SAST for all supported languages" - - default: "false" required: false - - rust_sast_enabled: default: "false" - - description: "Enable Rust SAST" all_rules_enabled: - - required: false description: "Run all bundled SAST rules regardless of language filters" - - default: "false" required: false - - elixir_sast_enabled: default: "false" - - description: "Enable Elixir SAST" # Per-language SAST enable flags - - required: false python_sast_enabled: - - default: "false" description: "Enable Python SAST scanning" - - required: false - - # Rule Configuration (Per-Language) default: "false" - - python_enabled_rules: javascript_sast_enabled: - - description: "Comma-separated Python rules to enable" description: "Enable JavaScript/TypeScript SAST scanning" - - required: false required: false - - default: "" default: "false" - - python_disabled_rules: typescript_sast_enabled: - - description: "Comma-separated Python rules to disable" description: "Enable TypeScript SAST scanning" - - required: false required: false - - default: "" default: "false" - - javascript_enabled_rules: go_sast_enabled: - - description: "Comma-separated JavaScript rules to enable" description: "Enable Go SAST scanning" - - required: false required: false - - default: "" default: "false" - - javascript_disabled_rules: golang_sast_enabled: - - description: "Comma-separated JavaScript rules to disable" description: "Enable Golang SAST scanning" - - required: false required: false - - default: "" default: "false" - - go_enabled_rules: java_sast_enabled: - - description: "Comma-separated Go rules to enable" description: "Enable Java SAST scanning" - - required: false required: false - - default: "" default: "false" - - go_disabled_rules: php_sast_enabled: - - description: "Comma-separated Go rules to disable" description: "Enable PHP SAST scanning" - - required: false required: false - - default: "" default: "false" - - java_enabled_rules: ruby_sast_enabled: - - description: "Comma-separated Java rules to enable" description: "Enable Ruby SAST scanning" - - required: false required: false - - default: "" default: "false" - - java_disabled_rules: csharp_sast_enabled: - - description: "Comma-separated Java rules to disable" description: "Enable C# SAST scanning" - - required: false required: false - - default: "" default: "false" - - php_enabled_rules: dotnet_sast_enabled: - - description: "Comma-separated PHP rules to enable" description: "Enable .NET SAST scanning" - - required: false required: false - - default: "" default: "false" - - php_disabled_rules: c_sast_enabled: - - description: "Comma-separated PHP rules to disable" description: "Enable C SAST scanning" - - required: false required: false - - default: "" default: "false" - - ruby_enabled_rules: cpp_sast_enabled: - - description: "Comma-separated Ruby rules to enable" description: "Enable C++ SAST scanning" - - required: false required: false - - default: "" default: "false" - - ruby_disabled_rules: kotlin_sast_enabled: - - description: "Comma-separated Ruby rules to disable" description: "Enable Kotlin SAST scanning" - - required: false required: false - - default: "" default: "false" - - csharp_enabled_rules: scala_sast_enabled: - - description: "Comma-separated C# rules to enable" description: "Enable Scala SAST scanning" - - required: false required: false - - default: "" default: "false" - - csharp_disabled_rules: swift_sast_enabled: - - description: "Comma-separated C# rules to disable" description: "Enable Swift SAST scanning" - - required: false required: false - - default: "" default: "false" - - dotnet_enabled_rules: rust_sast_enabled: - - description: "Comma-separated .NET rules to enable" description: "Enable Rust SAST scanning" - - required: false required: false - - default: "" default: "false" - - dotnet_disabled_rules: elixir_sast_enabled: - - description: "Comma-separated .NET rules to disable" description: "Enable Elixir SAST scanning" - - required: false required: false - - default: "" default: "false" - - c_enabled_rules: - - description: "Comma-separated C rules to enable" # Per-language rule overrides - - required: false python_enabled_rules: - - default: "" description: "Comma-separated list of Python SAST rules to enable" - - c_disabled_rules: required: false - - description: "Comma-separated C rules to disable" default: "" - - required: false python_disabled_rules: - - default: "" description: "Comma-separated list of Python SAST rules to disable" - - cpp_enabled_rules: required: false - - description: "Comma-separated C++ rules to enable" default: "" - - required: false javascript_enabled_rules: - - default: "" description: "Comma-separated list of JavaScript/TypeScript SAST rules to enable" - - cpp_disabled_rules: required: false - - description: "Comma-separated C++ rules to disable" default: "" - - required: false javascript_disabled_rules: - - default: "" description: "Comma-separated list of JavaScript/TypeScript SAST rules to disable" - - kotlin_enabled_rules: required: false - - description: "Comma-separated Kotlin rules to enable" default: "" - - required: false go_enabled_rules: - - default: "" description: "Comma-separated list of Go SAST rules to enable" - - kotlin_disabled_rules: required: false - - description: "Comma-separated Kotlin rules to disable" default: "" - - required: false go_disabled_rules: - - default: "" description: "Comma-separated list of Go SAST rules to disable" - - scala_enabled_rules: required: false - - description: "Comma-separated Scala rules to enable" default: "" - - required: false java_enabled_rules: - - default: "" description: "Comma-separated list of Java SAST rules to enable" - - scala_disabled_rules: required: false - - description: "Comma-separated Scala rules to disable" default: "" - - required: false java_disabled_rules: - - default: "" description: "Comma-separated list of Java SAST rules to disable" - - swift_enabled_rules: required: false - - description: "Comma-separated Swift rules to enable" default: "" - - required: false php_enabled_rules: - - default: "" description: "Comma-separated list of PHP SAST rules to enable" - - swift_disabled_rules: required: false - - description: "Comma-separated Swift rules to disable" default: "" - - required: false php_disabled_rules: - - default: "" description: "Comma-separated list of PHP SAST rules to disable" - - rust_enabled_rules: required: false - - description: "Comma-separated Rust rules to enable" default: "" - - required: false ruby_enabled_rules: - - default: "" description: "Comma-separated list of Ruby SAST rules to enable" - - rust_disabled_rules: required: false - - description: "Comma-separated Rust rules to disable" default: "" - - required: false ruby_disabled_rules: - - default: "" description: "Comma-separated list of Ruby SAST rules to disable" - - elixir_enabled_rules: required: false - - description: "Comma-separated Elixir rules to enable" default: "" - - required: false csharp_enabled_rules: - - default: "" description: "Comma-separated list of C# SAST rules to enable" - - elixir_disabled_rules: required: false - - description: "Comma-separated Elixir rules to disable" default: "" - - required: false csharp_disabled_rules: - - default: "" description: "Comma-separated list of C# SAST rules to disable" - - required: false - - # Socket Tier 1 Reachability default: "" - - socket_tier_1_enabled: dotnet_enabled_rules: - - description: "Enable Socket Tier 1 reachability analysis (requires Socket CLI)" description: "Comma-separated list of .NET SAST rules to enable" - - required: false required: false - - default: "false" default: "" - - socket_additional_params: dotnet_disabled_rules: - - description: "Additional parameters for Socket CLI" description: "Comma-separated list of .NET SAST rules to disable" - - required: false required: false - - default: "" default: "" - - c_enabled_rules: - - # Secret Scanning description: "Comma-separated list of C SAST rules to enable" - - secret_scanning_enabled: required: false - - description: "Enable secret scanning with TruffleHog" default: "" - - required: false c_disabled_rules: - - default: "false" description: "Comma-separated list of C SAST rules to disable" - - disable_all_secrets: required: false - - description: "Disable all secret scanning" default: "" - - required: false cpp_enabled_rules: - - default: "false" description: "Comma-separated list of C++ SAST rules to enable" - - trufflehog_exclude_dir: required: false - - description: "Comma-separated directories to exclude from secret scanning" default: "" - - required: false cpp_disabled_rules: - - default: "" description: "Comma-separated list of C++ SAST rules to disable" - - trufflehog_show_unverified: required: false - - description: "Show unverified secrets" default: "" - - required: false kotlin_enabled_rules: - - default: "false" description: "Comma-separated list of Kotlin SAST rules to enable" - - required: false - - # Container Scanning (Trivy) default: "" - - container_images: kotlin_disabled_rules: - - description: "Comma-separated container images to scan (auto-enables scanning)" description: "Comma-separated list of Kotlin SAST rules to disable" - - required: false required: false - - default: "" default: "" - - dockerfiles: scala_enabled_rules: - - description: "Comma-separated Dockerfiles to scan (auto-enables scanning)" description: "Comma-separated list of Scala SAST rules to enable" - - required: false required: false - - default: "" default: "" - - trivy_disabled_rules: scala_disabled_rules: - - description: "Comma-separated Trivy rules to disable" description: "Comma-separated list of Scala SAST rules to disable" - - required: false required: false - - default: "" default: "" - - trivy_image_scanning_disabled: swift_enabled_rules: - - description: "Disable Trivy image scanning" description: "Comma-separated list of Swift SAST rules to enable" - - required: false required: false - - default: "false" default: "" - - trivy_vuln_enabled: swift_disabled_rules: - - description: "Enable Trivy vulnerability scanning" description: "Comma-separated list of Swift SAST rules to disable" - - required: false required: false - - default: "false" default: "" - - rust_enabled_rules: - - # Notification Methods (Enterprise Plan Required) description: "Comma-separated list of Rust SAST rules to enable" - - slack_webhook_url: required: false - - description: "Slack webhook URL (Enterprise plan required)" default: "" - - required: false rust_disabled_rules: - - default: "" description: "Comma-separated list of Rust SAST rules to disable" - - webhook_url: required: false - - description: "Generic webhook URL (Enterprise plan required)" default: "" - - required: false elixir_enabled_rules: - - default: "" description: "Comma-separated list of Elixir SAST rules to enable" - - ms_sentinel_workspace_id: required: false - - description: "Microsoft Sentinel workspace ID (Enterprise plan required)" default: "" - - required: false elixir_disabled_rules: - - default: "" description: "Comma-separated list of Elixir SAST rules to disable" - - ms_sentinel_shared_key: required: false - - description: "Microsoft Sentinel shared key (Enterprise plan required)" default: "" - - required: false - - default: "" # Trivy Configuration - - sumologic_endpoint: trivy_exclude_dir: - - description: "Sumo Logic endpoint URL (Enterprise plan required)" description: "Comma-separated list of directories to exclude in Trivy" - - required: false required: false - - default: "" default: "" - - jira_url: trivy_rules: - - description: "Jira instance URL (Enterprise plan required)" description: "Rules to enable in Trivy" - - required: false required: false - - default: "" default: "" - - jira_project: trivy_disabled_rules: - - description: "Jira project key (Enterprise plan required)" description: "Comma-separated list of Trivy rules to disable" - - required: false required: false - - default: "" default: "" - - jira_email: trivy_image_scanning_disabled: - - description: "Jira user email (Enterprise plan required)" description: "Disable Trivy image scanning" - - required: false required: false - - default: "" default: "false" - - jira_api_token: - - description: "Jira API token (Enterprise plan required)" - - required: false # Log Forwarding Configuration - - default: "" sumo_logic_enabled: - - msteams_webhook_url: description: "Enable Sumo Logic log forwarding" - - description: "Microsoft Teams webhook URL (Enterprise plan required)" required: false - - required: false default: "false" - - default: "" sumo_logic_http_source_url: - - description: "HTTP source URL for Sumo Logic" - - # S3 Upload Configuration required: false - - s3_enabled: default: "" - - description: "Enable S3 upload for results" - - required: false # Microsoft Sentinel Configuration - - default: "false" ms_sentinel_enabled: - - s3_bucket: description: "Enable Microsoft Sentinel log forwarding" - - description: "S3 bucket name" required: false - - required: false default: "false" - - default: "" ms_sentinel_workspace_id: - - s3_access_key: description: "Workspace ID for Microsoft Sentinel" - - description: "S3 access key" required: false - - required: false default: "REPLACE_ME" - - default: "" ms_sentinel_shared_key: - - s3_secret_key: description: "Shared key for Microsoft Sentinel" - - description: "S3 secret key" required: false - - required: false default: "REPLACE_ME" - - default: "" - - s3_endpoint: # Jira Configuration - - description: "S3 endpoint URL" jira_enabled: - - required: false description: "Enable Jira ticket creation" - - default: "" required: false - - s3_region: default: "false" - - description: "S3 region" jira_url: - - required: false description: "Jira instance URL" - - default: "" required: false - - default: "" - -branding: jira_email: - - icon: "shield" description: "Jira user email" - - color: "blue" required: false - - default: "" - jira_api_token: - description: "Jira API token" - required: false - default: "" - jira_project: - description: "Jira project key" - required: false - default: "" - - # Slack Configuration - slack_enabled: - description: "Enable Slack notifications" - required: false - default: "false" - slack_webhook_url: - description: "Slack webhook URL" - required: false - default: "" - - # Teams Configuration - teams_enabled: - description: "Enable Microsoft Teams notifications" - required: false - default: "false" - teams_webhook_url: - description: "Teams webhook URL" required: false default: "" - - # Webhook Configuration - webhook_enabled: - description: "Enable generic webhook notifications" - required: false - default: "false" - webhook_url: - description: "Webhook URL" - required: false - default: "" - webhook_headers: - description: "Custom webhook headers as JSON string" + + socket_security_api_key: + description: "Socket Security API key (required for Enterprise features and Dashboard configuration)" required: false default: "" - # Scan Scope Configuration - scan_all: - description: "If true, always scan the whole directory regardless of git or file list." - required: false - default: "false" - scan_files: - description: "Comma-separated list of files to scan. If not set, will use git diff or scan all." + # GitHub Integration + github_token: + description: "GitHub token for PR comments and API access" required: false default: ""