{"id":24678734,"url":"https://github.com/contrast-security-oss/contrastscan-action","last_synced_at":"2025-10-09T19:06:18.932Z","repository":{"id":37862530,"uuid":"425983001","full_name":"Contrast-Security-OSS/contrastscan-action","owner":"Contrast-Security-OSS","description":"Contrast Scan GitHub action","archived":false,"fork":false,"pushed_at":"2024-08-12T13:32:55.000Z","size":128,"stargazers_count":20,"open_issues_count":1,"forks_count":4,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-10-08T11:45:53.778Z","etag":null,"topics":["contrast-security","dockerfile","kotlin","sast","sca","security","static-analysis"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Contrast-Security-OSS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-11-08T20:26:03.000Z","updated_at":"2025-09-28T11:25:44.000Z","dependencies_parsed_at":"2024-01-29T12:53:47.313Z","dependency_job_id":"e8fe3fda-3810-4a15-93f7-d0d6b4972d84","html_url":"https://github.com/Contrast-Security-OSS/contrastscan-action","commit_stats":{"total_commits":63,"total_committers":8,"mean_commits":7.875,"dds":0.5238095238095238,"last_synced_commit":"7c525114dfe622648f6227374937d4e0531558fd"},"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/Contrast-Security-OSS/contrastscan-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrastscan-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrastscan-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrastscan-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrastscan-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Contrast-Security-OSS","download_url":"https://codeload.github.com/Contrast-Security-OSS/contrastscan-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fcontrastscan-action/sbom","scorecard":{"id":33070,"data":{"date":"2025-08-11","repo":{"name":"github.com/Contrast-Security-OSS/contrastscan-action","commit":"339c87f4614b05aae7373929c56573c1bf362c02"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.8,"checks":[{"name":"Code-Review","score":9,"reason":"Found 9/10 approved changesets -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/Contrast-Security-OSS/contrastscan-action/release.yml/main?enable=pin","Info:   0 out of   1 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:14","Warn: topLevel 'contents' permission set to 'write': .github/workflows/update_tags.yml:8","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-14T19:38:38.928Z","repository_id":37862530,"created_at":"2025-08-14T19:38:38.928Z","updated_at":"2025-08-14T19:38:38.928Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279001983,"owners_count":26083243,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["contrast-security","dockerfile","kotlin","sast","sca","security","static-analysis"],"created_at":"2025-01-26T13:18:05.081Z","updated_at":"2025-10-09T19:06:18.914Z","avatar_url":"https://github.com/Contrast-Security-OSS.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Use Contrast Scan to analyze your code\n\nThis GitHub action lets you use Contrast Security's industry leading Code Scanner (Contrast Scan) to find vulnerabilities in your code.\nThe Action compares the code scanning analysis of the PR to the last code scan analysis of the destination branch.  GitHub fails the check if new vulnerabilities have been introduced.\n\n- **Supported languages:** Java, Javascript and .NET\n\n## **Initial steps for using the action**\nIf you are not familiar with GitHub actions read the\n[GitHub Actions](https://docs.github.com/en/actions) documentation to learn what GitHub Actions are and how to set them\nup. After which, complete the following steps:\n\n1. Configure the following GitHub secrets CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID, CONTRAST_AUTH_HEADER and CONTRAST_API_URL \n\n   ![image](https://user-images.githubusercontent.com/24421341/195881793-1ae0c552-8701-4501-a5b9-25863b0c84a5.png)\n\n- **CodeSec by Contrast Security users:** Retrieve authentication details for the secrets using the CLI.\n  - Installation instructions here : [https://www.contrastsecurity.com/developer/codesec](https://www.contrastsecurity.com/developer/codesec)\n  - If you are a new user, create an account with the 'contrast auth' command\n  - Run the 'contrast config' command in the CLI to collect the required credentials\n  \n    ![image](https://user-images.githubusercontent.com/24421341/195882697-cd56ea93-01d3-43d4-99e6-9005e7683111.png)\n\n- **Licensed Contrast Security users:** Get your authentication details for the secrets from the 'User Settings' menu in the Contrast web interface: You will need the following \n  - Organization ID\n  - Your API key\n  - Authorization header\n  - You will also need the URL of your Contrast UI host. This input includes the protocol section of the URL (https://).\n  \n  ![image](https://user-images.githubusercontent.com/24421341/195883255-b436a666-a040-478a-a9d5-15314097695b.png)\n\n2. Copy sample workflow below and create a branch of your code to add Contrast security Scan. This branch is typically located at `.github/workflows/build.yml`\n\n3. Update the workflow file to specify when the action should run (for example on pull_request, on push)\n\n   ```yaml\n   on:\n     # Trigger analysis when pushing to main or an existing pull requests.  Also trigger on\n     # new pull requests\n     push:\n       branches:\n         - main\n     pull_request:\n         types: [opened, synchronize, reopened]\n   ```\n\n\n4. Update the filepath in the workflow file to specfy the location of the built artifact or file to scan\n\n  ```yaml\n      with:\n        artifact: mypath/target/myartifact.jar \n  ```\n\n5. To fail based on severity of vulnerability found set severity (critical/high/medium or low) and fail to true\n\n   ```yaml\n        severity: high\n        fail: true   \n   ```\n\n6. In order for GitHub to list vulnerabilities in the **Security** Tab of the repo, the contrast action must be accompanied by this GitHub action\n\n   ```yaml\n       - name: Upload SARIF file\n         uses: github/codeql-action/upload-sarif@v2\n         with:\n           sarif_file: results.sarif\n   ```\n   \n   The value of `sarif_file` *must* be `results.sarif` which is the name that Contrast Scan Action will write the sarif to.\n   \n7. After committing, create a Pull Request (PR) to merge the update back to your main branch. Creating the PR triggers the scan to run. The extra \"Code Scanning\" check appears in the PR\n\nSince it’s likely there will be new findings when you add Contrast Scan, we don't want to fail and block merging the PR that adds Contrast Scan, forcing the owner of the PR to now fix all the newly exposed vulnerabilities that already existed in the code base. \n\nAfter Contrast Scan runs on the main branch, all new PRs that you create where the Contrast Scan is run fail the code scanning check if they introduce new vulnerabilities beyond the baseline you just established.\n \n## Usage\nAll Contrast-related account secrets should be configured as GitHub secrets and will be passed to the scanner via\nenvironment variables in the GitHub runner.\nA simple workflow to get going is:\n```yaml\non:\n  # Trigger analysis when pushing to main or an existing pull requests.  Also trigger on\n  # new pull requests\n  push:\n    branches:\n      - main\n  pull_request:\n      types: [opened, synchronize, reopened]\nname: Contrast Security Scan\njobs:\n  build_and_scan:\n    permissions:\n        contents: read # for actions/checkout\n        security-events: write # for github/codeql-action/upload-sarif\n        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status\n    runs-on: ubuntu-latest\n    # check out project\n    steps:\n    - uses: actions/checkout@v2\n    # steps to build the artifact you want to scan\n    # -name: Build Project\n    # ...\n    # Scan Artifact    \n    - name: Contrast Scan Action\n      uses: Contrast-Security-OSS/contrastscan-action@v2.0.3\n      with:\n        artifact: mypath/target/myartifact.jar\n        apiKey: ${{ secrets.CONTRAST_API_KEY }}\n        orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }}\n        authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}\n        severity: high\n        fail: true\n    # To list vulnerabilities in the GitHub Security Tab of the repo include GitHub upload-sarif action\n    # The value of `sarif_file` must be `results.sarif` \n    - name: Upload SARIF file\n      uses: github/codeql-action/upload-sarif@v2\n      with:\n        sarif_file: results.sarif\n```\n\n\n## Required inputs\n- apiKey - An API key from the Contrast platform.\n- authHeader - User authorization credentials from Contrast.\n- orgId - The ID of your organization in Contrast.\n- artifact - The artifact to scan on the Contrast platform.\n## Optional inputs\n- apiUrl - The URL of the host. This input includes the protocol section of the URL (https://). The default value is [https://ce.contrastsecurity.com](https://ce.contrastsecurity.com/) (Contrast Community Edition).\n- severity - Specify severity of vulnerability. Values for severity are critical, high, medium or low. Fail must also be set to true to fail the check\n- fail - When set to true, fails the check if vulnerabilities have been detected that match at least the severity option specified.\n- projectName - The name of the scan project in Contrast.\n  If you don’t specify a project name, Contrast Scan uses the artifact file name for the project name.\n- projectId - The ID of your project in Contrast.\n  - If a project ID already exists, Contrast Scan uses that ID instead of one you specify.\n  - If you don’t specify a project ID, Contrast Scan creates a project ID for the specified project name.\n- timeout - Sets a specific time span (in seconds) before the function times out. The default timeout is five minutes.\n\n## **If you are using the Contrast Maven plugin**\nThis GitHub action and the **[Contrast Maven plugin](https://github.com/Contrast-Security-OSS/contrast-maven-plugin)** accomplish the same thing. You cannot use both at the same time.\nFor example, if you are using maven to build your code and you run org.contrastsecurity.maven:scan during the build, do not use the Contrast Scan GitHub action.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fcontrastscan-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrast-security-oss%2Fcontrastscan-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fcontrastscan-action/lists"}