A GitHub Action to execute SecureStack application composition analysis on an application code repository. When you add this to GitHub Actions we will analyze your source code for vulnerable third party and open source libraries. It's like "software composition analysis" but only better! This Action supports Go, Python and Javascript languages. See below for what types of issues this action scans for and what files are required.
name: Example Workflow Using SecureStack Application Composition Analysis Action
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout repo for running code analysis within workflow
id: checkout
uses: actions/checkout@v2.4.0
with:
fetch-depth: 0
- name: Code Analysis Step
id: code
uses: SecureStackCo/actions-code@main
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY_SECRET }}
securestack_app_id: '<Application ID>'
severity: critical
language: node
flags: '--path . --debug'
NOTE - to understand possible values for the action input flags
, run the SecureStack cli locally:
$ bloodhound-cli code --help
- Log in to SecureStack and go to the Profile -> GENERATE KEY screen.
- Generate an API key and copy the value.
- Go to Settings for your GitHub repository and click on Secrets at the bottom left.
- Create a new secret named SECURESTACK_API_KEY_SECRET and paste the value from step 2 into the field.
- Log in to SecureStack.
- Open the application you wish to analyse.
- Copy the value of the application id on the View Application screen.
- Paste into the value of the
securestack_app_id
action input for the step using the SecureStack action in your workflow.
- Vulnerable third party libraries from place like NPM, PyPi, and Go repositories
- Vulnerable open source libraries
- Libraries and frameworks that have recently had ownership changes or that are malicious
- For Yarn: yarn.lock and package.json
- For NPM: package.json and package-lock.json
- For Go: go.dep or go.mod
- For Python: requirements.txt
Made with 💜 by SecureStack