{"id":24678696,"url":"https://github.com/contrast-security-oss/integration-verify-github-action","last_synced_at":"2025-10-08T11:31:21.182Z","repository":{"id":36953861,"uuid":"460160735","full_name":"Contrast-Security-OSS/integration-verify-github-action","owner":"Contrast-Security-OSS","description":"GitHub Action to verify an application by determining whether the application violates a job outcome policy or threshold of open vulnerabilities","archived":false,"fork":false,"pushed_at":"2024-10-18T23:31:27.000Z","size":148,"stargazers_count":3,"open_issues_count":9,"forks_count":4,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-01-19T21:37:58.198Z","etag":null,"topics":["assess","contrast","github-actions","security","verify"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Contrast-Security-OSS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-16T20:07:44.000Z","updated_at":"2024-07-09T08:56:37.000Z","dependencies_parsed_at":"2024-07-14T13:30:36.979Z","dependency_job_id":null,"html_url":"https://github.com/Contrast-Security-OSS/integration-verify-github-action","commit_stats":{"total_commits":152,"total_committers":3,"mean_commits":"50.666666666666664","dds":"0.48026315789473684","last_synced_commit":"96c97a464246c5161b78df0512c8206acb4415c2"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fintegration-verify-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fintegration-verify-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fintegration-verify-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Contrast-Security-OSS%2Fintegration-verify-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Contrast-Security-OSS","download_url":"https://codeload.github.com/Contrast-Security-OSS/integration-verify-github-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235706306,"owners_count":19032607,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assess","contrast","github-actions","security","verify"],"created_at":"2025-01-26T13:17:58.985Z","updated_at":"2025-10-08T11:31:15.896Z","avatar_url":"https://github.com/Contrast-Security-OSS.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Contrast Verify Action\nThis action verifies an application that's onboarded to Contrast by determining whether the application violates a [Job Outcome Policy](https://docs.contrastsecurity.com/en/define-a-job-outcome-policy.html) or threshold of open vulnerabilities.\n\n## Inputs\n|Input Name|Description|Required|\n|------|------|------|\n|`apiKey`|Contrast User/Service Account API Key|Yes|\n|`orgId`|Contrast Organization ID|Yes|\n|`apiUrl`|URL of your Contrast Teamserver Instance (must begin with `https://` or `http://`)|No, defaults to `https://app.contrastsecurity.com`|\n|`serviceKey`|Contrast User or Service Account service key|Yes, unless `authHeader` is passed|\n|`authHeader`|Contrast User or Service Account authorization header|Yes, if `username` and `serviceKey` not passed|\n|`userName`|Contrast User or Service Account username|Yes, if `authHeader` not passed|\n|`appId`|ID of the application to verify against|Yes, if `appName` not passed|\n|`appName`|Name of the application to verify against|Yes, if `appId` not passed|\n|`buildNumber`|The build number or app version tag to filter vulnerabilities by|No|\n|`failThreshold`|Number of vulnerabilities that are needed to fail the build (not used if there is a defined job outcome policy)|No, defaults to `0`|\n|`jobStartTime`|Filter vulnerabilities first found after this timestamp (formatted **in milliseconds** since the epoch)|No, defaults to `0`|\n|`severities`|Comma separated list of vulnerability severities to consider (not used if there is a defined job outcome policy). Values allowed are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW` and `NOTE`|No, defaults to `CRITICAL,HIGH`|\n\n\n## Example usage\n\n```yaml\nname: Test and Verify\non:\n  push:\n    branches:\n      - main\n    pull_request:\njobs:\n  test_and_verify:\n    runs-on: ubuntu-latest\n    steps:\n        # check out project\n      - uses: actions/checkout@v2\n        # record start time so we can verify only newly found vulnerabilities\n      - name: Define job start time\n        run: |\n          import time\n          n = int(round(time.time() * 1000))\n          print(f\"::set-output name=jobStartTime::{n}\")\n        shell: python\n        id: set-job-start-time\n      # steps to build and run integration tests\n      # - name: Run tests\n      #\n      - name: Contrast Verify\n        uses: Contrast-Security-OSS/integration-verify-github-action@main\n        with:\n          apiKey: ${{ secrets.CONTRAST_API_KEY }}\n          orgId: \u003corganization id\u003e\n          apiUrl: https://app.contrastsecurity.com\n          authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }}\n          appName: App_Name_Here\n          #appId: or app_uuid_here if known\n          jobStartTime: \"${{ steps.set-job-start-time.outputs.jobStartTime }}\"\n```\n\n### Job Start Time and Build Number\n\nAs shown above, the `jobStartTime` input value can be generated with a script step, running prior to your tests.\nThis approach is useful when you want to consider only new vulnerabilities found by this action run, for example in a pull request.\n\nYou may also pass a `buildNumber` input which will filter for vulnerabilities found in specific builds. The agent must be started with this same build number provided via the `CONTRAST__APPLICATION__VERSION` environment variable, or equivalent YAML/System Properties.\n\nIf both `jobStartTime` and `buildNumber` are provided, the step will consider only vulnerabilities found since the specified start time, **and** with the provided `buildNumber`.\n\n## Use outside of GitHub Actions\n\nThis integration is available as a Docker image which allows it to be used in other environments outside of GitHub Actions, for example, in GitLab pipelines. For more details, see [Container Documentation](CONTAINER_DOCS.md).\n\n## Logging\n\nDebug log messages are only made visible when [GitHub Actions debug logging is enabled](https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging).\n\n## Proxy / Custom TLS Certificates\n\nA HTTP or HTTPS proxy may be used, by setting the environment variables `HTTP_PROXY` and `HTTPS_PROXY` respectively. The value should be the full proxy URL, including authorization details if required.\n\nIf your environment requires custom certificate(s) to be trusted, these may be provided via the input `caFile` in pem format.\n\n## Development Setup\n1. Run `python -m venv venv` to setup a virtual environment\n1. Run `. venv/bin/activate` to activate the virtual environment\n1. Run `pip install -r requirements-dev.txt` to install development dependencies (will also include app dependencies)\n1. Run `pre-commit install` to setup the pre-commit hook which handles formatting\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fintegration-verify-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontrast-security-oss%2Fintegration-verify-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontrast-security-oss%2Fintegration-verify-github-action/lists"}