Data Theorem's API Secure will scan your RESTful APIs for security issues, including, but not limited to, SQL injection, SSRF, XSS, and PII/PHI data publicly accessible on the Internet. More information can be found here:

https://www.datatheorem.com/products/api-secure

Valid Data Theorem API key required.

To find your Data Theorem API key, connect to https://www.securetheorem.com/mobile/sdlc/results_api_access using your Data Theorem account.
Create an encrypted variable named DT_RESULTS_API_KEY in your Github repository.

For more information, see Github Encrypted secrets.

Go to your API Secure inventory in the Data Theorem portal and find the RESTful API you wish to scan.

Retrieve the RESTful API’s ID from the url of the RESTful API’s page that looks like:
https://securetheorem.com/api/restful-apis/<asset_id>

Optionally, the following scan configuration settings can be specified:

should_perform_pii_analysis: <true/false>
If set to true, the API responses received by the scanner will be analyzed for personally identifiable information.

should_perform_sql_injection_scan: <true/false>
If set to true, the API’s parameters will be scanned for SQL injection issues.
This type of scan requires sending a lot of requests to the API, it will significantly increase the load on the API, and could potentially disrupt it.

name: Request a Data Theorem API Secure scan

on:
  push:
    branches: [ main ]

jobs:
  scan:
    name: scan RESTful API for security issues
    runs-on: ubuntu-20.04
    steps:
      - name: Request Data Theorem API Secure scan
        uses: datatheorem/data-theorem-api-secure-action@v1.0.0
        with:
          dt_results_api_key: ${{ secrets.DT_RESULTS_API_KEY }}
          asset_id: "15255982-380f-4dae-8fed-b06fc6a82566"
          asset_base_url: "https://<asset_base_url>/"
          # Optional scan configuration
          should_perform_pii_analysis: false
          should_perform_sql_injection_scan: false