GitHub Action
Federacy Salus Security Scan
0.1.5
Latest version
This action utilizes Salus from Coinbase to run SAST and dependency scans.
| Name | Language |
|---|---|
| Bundle Audit | Ruby |
| Brakeman | Ruby |
| npm audit | JavaScript |
| yarn audit | JavaScript |
| Gosec | Go |
| Bandit | Python |
| Cargo Audit | Rust |
| semgrep | Many |
| PatternSearch | n/a (uses Sift) |
.github/workflows/example.yml
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/scan-action@0.1.4
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/scan-action@0.1.4
with:
active_scanners: "\n - Brakeman"
enforced_scanners: "\n - Brakeman"
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/scan-action@0.1.4
with:
enforced_scanners: "none"
on: [push]
jobs:
salus_scan_job:
runs-on: ubuntu-latest
name: Salus Security Scan Example
steps:
- uses: actions/checkout@v1
- name: Salus Scan
id: salus_scan
uses: federacy/scan-action@0.1.4
env:
SALUS_CONFIGURATION: "file://../salus-configuration.yaml file://config/pattern_search.yaml"
| attribute | description | default | options |
|---|---|---|---|
| active_scanners | Scanners to run | all | Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec |
| enforced_scanners | Scanners that block builds | all | Brakeman, PatternSearch, BundleAudit, NPMAudit, GoSec |
| report_uri | Where to send Salus reports | file://salus-report.json | Any URI |
| report_format | What format to use for report | json | json, yaml, txt |
| report_verbosity | Whether to enable a verbose report | true | true, false |
| salus_configuration | Where to find Salus configuration | file://../salus-configuration.yaml | Any URI |
Note: active_scanners and enforced_scanners must be yaml formatted for Salus configuration file.
None.
Stored in custom_info of a Salus scan.
| Key | Github Variable | Description |
|---|---|---|
| sha1 | GITHUB_SHA | Hash of last commit in build |
| reponame | GITHUB_REPOSITORY | Name of repository |
| ref | GITHUB_REF | Ref that triggered flow (branch or tag) |
| ci_username | GITHUB_ACTOR | Github username of user who triggered build |
| github_action | GITHUB_ACTION | Name of the action |
| github_workflow | GITHUB_WORKFLOW | Name of the workflow |
| github_event_name | GITHUB_EVENT_NAME | Name of the event that triggered workflow |
| github_event_path | GITHUB_EVENT_PATH | Path of event payload |
| github_workspace | GITHUB_WORKSPACE | Workspace directory path |
| github_head_ref | GITHUB_HEAD_REF | Ref of the head repository, if forked |
| github_base_ref | GITHUB_BASE_REF | Ref of the base repository, if forked |
| github_home | HOME | Path to home directory used by Github |