Skip to content
/ ARQAN.action Public
forked from VeriDevOps/CICD_ARQAN_RQCODE_Github_Actions

GitHub Action Security Requirement Analysis with STIG database for Windows platform.

License

Apache-2.0 license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

VeriDevOps/ARQAN.action

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

161 Commits
.github
.github
 
 
dist
dist
 
 
src
src
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.prettierrc.json
.prettierrc.json
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Security Requirement Analysis GitHub Action

GitHub license Contributor Covenant Typescript

A GitHub Action to analyze your security requirements that are represented in the form of GitHub Issues. If Action classifies Issue as a security requirement, then it sets a label on it. Additionally, it recommends Security Technical Implementation Guides(STIGs) that cover the requirement. Moreover, it suggests already implemented tests on the recommended STIGs from RQCODE repository. In case of tests absence on proposed STIGs, automatically creates Issue in RQCODE repository asking to implement it.

Usage

You can use the Security Requirement Analysis GitHub Action in a GitHub Actions Workflow by configuring a YAML-based workflow file, e.g. .github/workflows/security-requirement.yaml, with the following:

name: Analyse security requirement

on:
  # triggers on Issue opened event
  issues:
    types:
      - opened

jobs:
  label:
    runs-on: ubuntu-latest
    name: Find out if Issue is security requirement
    steps:
      - uses: actions/checkout@v3
      - uses: VeriDevOps/security-issue-classification@main
        name: Label an issue, suggest STIGs and Tests
        with:
          rqcode-token: ${{ secrets.RQCODE_TOKEN }}

Inputs

rqcode-token

Required. A GitHub access token (PAT) with public_repo access in the repo scope. NOTE. The automatically provided token e.g. ${{ secrets.GITHUB_TOKEN }} can not be used, GitHub prevents this token from being able to create issues in other repositories(in our case, RQCODE repository). The reasons are explained in the GitHub Community Forum.

The solution is to manually create a PAT and store it as a secret e.g. ${{ secrets.RQCODE_TOKEN }}

label

Optional. The label to mark issue as security requirement. Default: 'security'

stigs-comment

Optional. Enable STIGs and tests suggestion from RQCODE repository through issue commenting. Default: 'true'

token

Optional. A github token used for creating an octoclient for making API calls for labeling and commenting Issues. If you want to use another user, you can specify its token. Default: ${{ github.token }}

username

Required. Username to sign-up in ARQAN microservice. Provide a unique username for ARQAN service in ${{ secrets.ARQAN_USER }}.

password

Required. Password to sign-up in ARQAN microservice. Provide a secure password for ARQAN service in ${{ secrets.ARQAN_PASS }}.

Contributing

Contributions are welcome! See CONTRIBUTING.md for step-by-step instructions.

If you need help or have a question, let us know via a GitHub issue with type Question.

License

This project is licensed under the Apache License - see the LICENSE file for details.

About

GitHub Action Security Requirement Analysis with STIG database for Windows platform.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v1 - Mapping to STIGs for windows platform Latest
Feb 26, 2024
+ 2 releases

Packages

No packages published

Languages

  • TypeScript 100.0%