{"id":24678739,"url":"https://github.com/contrast-security-oss/contrast-sca-action","last_synced_at":"2026-03-09T11:02:54.775Z","repository":{"id":58872232,"uuid":"525768161","full_name":"Contrast-Security-OSS/contrast-sca-action","owner":"Contrast-Security-OSS","description":"Contrast SCA GitHub Action","archived":false,"fork":false,"pushed_at":"2026-02-26T15:23:49.000Z","size":124,"stargazers_count":10,"open_issues_count":0,"forks_count":4,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-02-26T21:39:07.908Z","etag":null,"topics":["sca"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Contrast-Security-OSS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-08-17T11:52:14.000Z","updated_at":"2026-02-26T15:27:15.000Z","dependencies_parsed_at":"2024-07-23T13:23:07.330Z","dependency_job_id":"87af3d9b-c892-438b-b223-dea9aae23da8","html_url":"https://github.com/Contrast-Security-OSS/contrast-sca-action","commit_stats":null,"previous_names":[],"tags_count":39,"template":false,"template_full_name":null,"purl":"pkg:github/Contrast-Security-OSS/contrast-sca-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrast-sca-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrast-sca-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrast-sca-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrast-sca-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Contrast-Security-OSS","download_url":"https://codeload.github.com/Contrast-Security-OSS/contrast-sca-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrast-sca-action/sbom","scorecard":{"id":33067,"data":{"date":"2025-08-11","repo":{"name":"github.com/Contrast-Security-OSS/contrast-sca-action","commit":"0e0de9fdf538afd08a2c9770de87c5af8bc4181d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.7,"checks":[{"name":"Maintained","score":5,"reason":"6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":9,"reason":"Found 10/11 approved changesets -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":7,"reason":"dependency not pinned by hash detected -- score normalized to 7","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/regression.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/Contrast-Security-OSS/contrast-sca-action/regression.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/Contrast-Security-OSS/contrast-sca-action/release.yml/main?enable=pin","Info:   0 out of   1 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   4 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/regression.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:14","Warn: topLevel 'contents' permission set to 'write': .github/workflows/update_tags.yml:8","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-14T19:38:37.365Z","repository_id":58872232,"created_at":"2025-08-14T19:38:37.366Z","updated_at":"2025-08-14T19:38:37.366Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30291844,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T02:57:19.223Z","status":"ssl_error","status_checked_at":"2026-03-09T02:56:26.373Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sca"],"created_at":"2025-01-26T13:18:05.666Z","updated_at":"2026-03-09T11:02:54.762Z","avatar_url":"https://github.com/Contrast-Security-OSS.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Use Contrast Security SCA to find your vulnerable dependencies\nThis GitHub action lets you use Contrast Security to detect vulnerable dependencies in your code. The action looks at project configuration files, identifies vulnerable dependencies and provides guidance on the versions to update.\n\n## Initial steps for using the action\nIf you are not familiar with GitHub actions read the\n[GitHub Actions](https://docs.github.com/en/actions) documentation to learn what GitHub Actions are and how to set them\nup. After which, complete the following steps:\n\n1. Configure the following GitHub secrets CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID, CONTRAST_AUTH_HEADER and CONTRAST_API_URL \n\n    \u003cimg width=\"700\" alt=\"image\" src=\"https://user-images.githubusercontent.com/24421341/195306020-a15e99f2-46bd-4d4f-bcd5-b33865040696.png\"\u003e\n\n- **CodeSec by Contrast Security users:** Retrieve authentication details for the secrets using the CLI.\n  - Installation instructions here : [https://www.contrastsecurity.com/developer/codesec](https://www.contrastsecurity.com/developer/codesec)\n  - If you are a new user, create an account with the 'contrast auth' command\n  - Run the 'contrast config' command in the CLI to collect the required credentials\n  \n    \u003cimg width=\"592\" alt=\"image\" src=\"https://user-images.githubusercontent.com/24421341/195308711-4d818254-6f7d-43e3-ae08-2a4f72ec4162.png\"\u003e\n    \n- **Licensed Contrast Security users:** Get your authentication details for the secrets from the 'User Settings' menu in the Contrast web interface: You will need the following \n  - Organization ID\n  - Your API key\n  - Authorization header\n  - You will also need the URL of your Contrast UI host. This input includes the protocol section of the URL (https://).\n  \n    \u003cimg width=\"420\" alt=\"image\" src=\"https://user-images.githubusercontent.com/24421341/195308200-93f3c189-6f33-4e02-9e09-38c6abfeb120.png\"\u003e\n\n2. Copy one of the sample workflows below and create a branch of your code to add Contrast Security SCA. This branch is typically located at `.github/workflows/build.yml`\n\n3. Update the workflow file to specify when the action should run (for example on pull_request, on push)\n   \n    ```yaml\n    on:\n      pull_request:\n        branches:\n          - \"main\"\n    ```\n4. Update the filepath in the workflow file to specfy the location of the project configuration file where dependencies are declared\n\n    ```yaml\n              filePath: package.json\n    ```\n\n5. To fail based on severity of CVEs found set severity  (critical/high/medium or low) and fail to true\n\n    ```yaml\n              severity: medium\n              fail: true\n    ```\n    \n6. After committing, create a Pull Request (PR) to merge the update back to your main branch. Creating the PR triggers the Contrast Security SCA action to run. \n\n\n## Usage\n\nThe following are sample workflows to get started in Java, Node, PHP.\n\n### Java\n\n```yaml\nname: Contrast Security SCA\non:\n  push:\n    branches:\n      - \"main\"\njobs:\n  Check-Dependency-Vulnerabilities:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n\n      - name: Set up JDK 11\n        uses: actions/setup-java@v3\n        with:\n          java-version: '11'\n          distribution: 'adopt'\n\n      - name: build jar\n        run: |\n          mvn clean install -DskipTests\n\n      - name: Contrast SCA Action\n        uses: Contrast-Security-OSS/contrast-sca-action@v1\n        with:\n          apiKey: ${{ secrets.CONTRAST_API_KEY }}\n          orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}\n          authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}\n          apiUrl: ${{ secrets.CONTRAST_API_URL }}\n          filePath: mypath/to/config/files\n          severity: medium\n          fail: true\n```\n\n### Node\n\n```yaml\nname: Contrast Security SCA\n\non:\n  pull_request:\n    branches:\n      - \"main\"\n\njobs:\n  Check-Dependency-Vulnerabilities:\n    runs-on: ubuntu-latest\n    steps:\n        # Checkout/build your application/install Node\n      - uses: actions/checkout@v3\n\n      - name: Contrast SCA Action\n        uses: Contrast-Security-OSS/contrast-sca-action@v1\n        with:\n          apiKey: ${{ secrets.CONTRAST_API_KEY }}\n          orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}\n          authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}\n          apiUrl: ${{ secrets.CONTRAST_API_URL }}\n          filePath: mypath/to/config/files\n          severity: medium\n          fail: true\n\n```\n\n### PHP\n\n```yaml\nname: Contrast Security SCA\n\non:\n  push:\n    branches:\n      - \"main\"\n\njobs:\n  Check-Dependency-Vulnerabilities:\n    runs-on: ubuntu-latest\n    steps:\n        # Check out/build your application\n      - uses: actions/checkout@v3\n\n        # Install composer\n      - uses: php-actions/composer@v6\n\n      - name: Contrast SCA Action\n        uses: Contrast-Security-OSS/contrast-sca-action@v1\n        with:\n          apiKey: ${{ secrets.CONTRAST_API_KEY }}\n          orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}\n          authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}\n          apiUrl: ${{ secrets.CONTRAST_API_URL }}\n          filePath: mypath/to/config/files\n          severity: medium\n          fail: true\n\n```\n\n- **Supported languages and their requirements:** \n  - **Java:** pom.xml and Maven build platform including the dependency plugin       \n    *or* build.gradle and gradle dependencies or ./gradlew dependencies must be     \n    supported                                                                     \n  - **.NET core:** MSBuild 15.0 or greater and a                   \n    packages.lock.json file.                                                      \n    Note: If the packages.lock.json file is unavailable it can be generated by    \n    setting RestorePackagesWithLockFile to true within each *.csproj file and     \n    running dotnet build.\n  - **Node:** package.json and a lock file (either .package-lock.json or .yarn.lock.)\n  - **Ruby:** gemfile and gemfile.lock\n  - **Python:** pipfile and pipfile.lock\n  - **Go:** go.mod\n  - **PHP:** composer.json and composer.lock\n\nAll Contrast Security related account secrets should be configured as GitHub secrets and will be passed via environment variables in the GitHub runner.\n\nThis section details the various inputs you can use with this Contrast Security GitHub Action. Inputs marked as \"required\" must be provided for the action to function correctly.\n\n## Inputs\n\n### Required Inputs\n\n- apiKey: An agent API key provided by Contrast (required).\n- authHeader: User authorization credentials provided by Contrast (required).\n- orgId: The ID of your organization in Contrast (required).\n- filePath: Specify the directory in which to search for project configuration files (required).\n\n### Command Input\n\n- command: Command to run cli with audit/fingerprint/sarif (optional, defaults to \"audit\")\n### Optional Inputs\n\n- repositoryId: The ID of your repo. (optional)\n- projectGroupId: The ID of your project Groups. (optional)\n- applicationId: The ID of your application. (optional)\n- apiUrl: The name of the host. Includes the protocol section of the URL (https://). Defaults to https://ce.contrastsecurity.com. (optional, defaults to \"https://ce.contrastsecurity.com\")\n- severity: Allows user to report libraries with vulnerabilities above a chosen severity level. Values for level are high, medium or low. (Note: Use this input in combination with the fail input, otherwise the action will exit) (optional, defaults to \"CRITICAL\")   \n- fail: When set to true, fails the action if CVEs have been detected that match at least the severity option specified. (optional)\n- ignoreDev: When set to true, excludes developer dependencies from the results. (optional)\n- outputSummary: Defaults to true. When set to true, writes the output of the audit to the GitHub Actions Summary. (optional, defaults to \"true\")\n- repoUrl: When set, will pass the optional repo url parameter to the contrast cli (optional)\n- repoName: When set, will pass the optional repo name parameter to the contrast cli (optional)\n- externalId: When set, will pass the optional external id parameter to the contrast cli (optional)\n- auditTimeout: Sets the timeout for an audit in seconds, Default: 600 (10 minutes) (optional, defaults to \"600\")\n- metadata: Metadata filter to be passed to the Contrast CLI when running sarif command (optional)\n- sarifToolType: Tool type to include in the sarif file. One of SCA or ASSESS. (optional, if not specified, both will be included)'\n- ghasEnabled: When set to true, will upload sarif to the GHAS integration (optional, defaults to \"true\")\n- legacy: When set to true, uses the legacy audit command. (optional)\n- modifier: When set this will be added as a suffix to the output file names for logs and sboms uploaded to the summary page. (optional, defaults to a random string)\n- resourceGroup: Name of the resource group for a new project to be associated with.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fcontrast-sca-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrast-security-oss%2Fcontrast-sca-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fcontrast-sca-action/lists"}