crda is a GitHub Action is an action which uses CodeReady Dependency Analytics to analyze vulnerabilities in a project's dependencies.
The scan's result is uploaded to the GitHub repository as a SARIF file, and vulnerabilities found are reported to repository maintainers in the Security tab.
CRDA supports Go, Java, Node.js, and Python projects.
CRDA is integrated with Snyk to provide excellent analysis by referencing a database of known vulnerabilities.
Read more about CRDA in this blog post.
You can refer to the examples in this repository for a simple example of scanning each supported language.
Unless already done, you must set up the tool stack for your project.
Refer to the setup actions for:
Use the OpenShift Tools Installer to install the CRDA CLI.
The project must have a dependencies manifest file which CRDA can read to install dependencies.
By default, CRDA will install dependencies using a standard command for the project type.
- Override the path to the manifest with the
manifest_pathinput. - Override the install command with the
deps_install_cmdinput.
| Project Type | Required Manifest | Default Install Command |
|---|---|---|
| Go | go.mod |
go mod vendor |
| Java | pom.xml |
mvn -ntp -B package |
| Node.js (npm) | package.json, package-lock.json |
npm ci |
| Node.js (yarn) | package.json, yarn.lock |
yarn install --frozen-lockfile |
| Python | requirements.txt |
pip install -r requirements.txt |
For authentication, you must provide either a CRDA Key or a Synk Token.
The token must be stored in a repository secret.
- Sign up for Synk.
- Click through the wizard. You do not need to provide it any permissions if you don't want to.
- Go to
Account settingsto find your Synk Token (aka "key"). - Provide the token in the
synk_tokeninput.
- First, obtain a Snyk token.
- Install the CRDA CLI locally
- Run
crda auth. Provide the Snyk token so the CRDA Key can also access the Synk database. - Extracted the CRDA Key from the output or
$HOME/.crda/config.yaml. - Provide the CRDA Key in the
crda_keyinput.
You only need to provide one of the two authentication tokens.
The example workflow job below shows how the crda action can be used to scan vulnerabilities in a Node.js project and upload the result to GitHub.
steps:
- name: Checkout
uses: actions/checkout@v2
with:
repository: nodejs/examples
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '14'
- name: Install CRDA
uses: redhat-actions/openshift-tools-installer@v1
with:
source: github
crda: latest
- name: CRDA Scan
id: crda_scan
uses: redhat-actions/crda@v1
with:
manifest_path: package.json
crda_key: ${{ secrets.CRDA_KEY }}
- name: Print Report Link
run: echo ${{ steps.crda_scan.outputs.report_link }}| Input | Description | Default |
|---|---|---|
| crda_key | Existing CRDA key to identify the existing user. | Required unless synk_token is set |
| snyk_token | Snyk token to be used to authenticate to the CRDA | Required unless crda_key is set |
| manifest_path | Path of the manifest file to use for analysis, relative to the repository root. | Required |
| analysis_report_name | Name of the analysis report files. A .json and a .sarif file will be created. |
crda_analysis_report |
| checkout_path | Path at which the project repository is checked out. | ${{ github.workspace }} |
| consent_telemetry | CRDA collects anonymous usage data. Enable this to help make CRDA better for our users. Refer to the privacy statement for more details. | false |
| deps_install_cmd | Command to use for the dependencies installation instead of using the default. | View defaults |
| fail_on | Configure if the workflow should fail if a vulnerability of this level or higher is found in the project. This can be error to fail only on errors, warning to fail on warnings or errors, or never to always pass the step. |
error |
| github_token | GitHub token used to upload the SARIF report to GitHub. The token must have security_events write permission. |
${{ github.token }} |
| upload_sarif | Whether or not to upload the generated SARIF file. If this is disabled, vulnerabilities will not be reported in the Security tab. | true |
- crda_report_json: Path to generated CRDA analysis report in JSON format.
- crda_report_sarif: Path to generated CRDA analysis report in SARIF format.
- report_link: CRDA Analysis report link.
This action can run CRDA scans on pull requests. Because the action must check out the pull request's code in order to scan it, the pull_request_target trigger must be used.
Since the pull request's code will be checked out in order to install dependencies, repository maintainers must manually verify that the pull request does not include any malicious code before the scan can run. Maintainers can approve the CRDA scan by adding the CRDA Scan Approved label.
Each time a new commit is pushed to the pull request, the Approved label will be removed. A maintainer must review the code again and re-add the label, to prevent malicious code from executing due to the prior approval.
After the CRDA scan is approved and the workflow runs, a label indicating the scan result will be added to the pull request.
Use the following snippet to enable pull request scans in your repository:
on:
pull_request_target:
# These types are all required for CRDA to scan pull requests correctly and securely.
types: [ opened, synchronize, reopened, labeled, edited ]