{"id":21491631,"url":"https://github.com/securestackco/actions-exposure","last_synced_at":"2025-08-07T02:15:20.243Z","repository":{"id":49035000,"uuid":"433016618","full_name":"SecureStackCo/actions-exposure","owner":"SecureStackCo","description":"A GitHub Action that scans your public web applications after every deployment.  Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements.","archived":false,"fork":false,"pushed_at":"2023-06-07T18:31:31.000Z","size":1846,"stargazers_count":21,"open_issues_count":0,"forks_count":5,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-04-14T16:15:26.189Z","etag":null,"topics":["actions","cloud-security","cloud-security-posture-management","deployment","deployment-automation","deployment-pipeline","dynamic-analysis","github-actions","secrets-detection","security","software-composition-analysis","vulnerability-detection","vulnerability-scanning","web-application","web-vulnerability","web-vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SecureStackCo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-29T11:31:28.000Z","updated_at":"2024-06-20T00:06:44.389Z","dependencies_parsed_at":"2024-06-20T00:06:43.356Z","dependency_job_id":"98336cde-17b7-4218-b9a7-0dc0e6724e5a","html_url":"https://github.com/SecureStackCo/actions-exposure","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/SecureStackCo/actions-exposure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureStackCo%2Factions-exposure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureStackCo%2Factions-exposure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureStackCo%2Factions-exposure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureStackCo%2Factions-exposure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SecureStackCo","download_url":"https://codeload.github.com/SecureStackCo/actions-exposure/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureStackCo%2Factions-exposure/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269185726,"owners_count":24374634,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-07T02:00:09.698Z","response_time":73,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","cloud-security","cloud-security-posture-management","deployment","deployment-automation","deployment-pipeline","dynamic-analysis","github-actions","secrets-detection","security","software-composition-analysis","vulnerability-detection","vulnerability-scanning","web-application","web-vulnerability","web-vulnerability-scanner"],"created_at":"2024-11-23T15:17:12.538Z","updated_at":"2025-08-07T02:15:20.196Z","avatar_url":"https://github.com/SecureStackCo.png","language":null,"readme":"# SecureStack Web Vulnerability Analysis GitHub Action\n\nA GitHub Action that analyses your web application for security and availability issues.\nWhen you add this to GitHub Actions we will analyze your web app everytime you deploy to a \npublic endpoint and let you know if what you've just deployed is secure and meets your \nrequirements.  See below for what types of issues this action scans for.\n\n```\nname: Example Workflow Using SecureStack Web Vulnerability Exposure Action\non: push\njobs:\n  security:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Web Vulnerability Exposure Analysis Step\n        id: exposure\n        uses: SecureStackCo/actions-exposure@v0.1.3\n        with:\n          securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}\n          securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}\n          severity: critical\n          flags: '--dom -r'\n```\n\nNOTE - to understand possible values for the action input `flags`, run the SecureStack cli locally:\n\n`$ bloodhound-cli code --help`\n\n## Create your SecureStack API Key and save as GitHub Secret\n\n1. Log in to [SecureStack](https://app.securestack.com) with your GitHub credentials.\n2. Go to Settings in the lower left corner, and then select the 6th tab: API.![Create API key](./images/securestack-create-apikey.png)\n3. Generate a new API key and copy the value.![Copy API key](./images/securestack-copy-apikey.png)\n4. Now back in GitHub, go to Settings for your GitHub repository and click on Secrets, and then Actions at the bottom left.\n5. Create a new secret named SECURESTACK_API_KEY and paste the value from step 2 into the field and click \"Add secret\".![Create GitHub Secret for API key](./images/securestack-github-apikey-secret.png)\n\n## Retreiving your SecureStack Application ID\n\n1. Log in to [SecureStack](https://app.securestack.com).\n2. In the application drop down at the top left choose the application you want to use and click on \"Copy Application ID\" ![Copy Application ID](./images/securestack-copy-appid.png)\n3. Create a new secret named SECURESTACK_APP_ID and paste the value from step 2 into the field and click \"Add secret\".![Create GitHub Secret for app_id](./images/securestack-github-appid-secret.png)\n4. When completed the two GitHub Secrets should look like this![Successfully created two secrets](./images/securestack-github-secrets-success.png)\n\n## What vulnerabilities do we find?\n1. Scans web application for out of date and vulnerable application components\n2. Identifies whether basic security controls like WAF, firewalls, and security headers are being used\n3. Finds all public facing assets \u0026 helps you understand your application attack surface\n4. Identifies misconfigurations in existing WAF or CDN\n5. Identifies if app is using CSP or security headers and whether they're working\n6. Finds WAF bypass attacks for Akamai, Cloudflare \u0026 Imperva\n\n## How can I see the output of the web exposure analysis?\n1. You can view the analysis output right in the GitHub Action workflow output![workflow output](./images/securestack-exposure-output-action-log.png)\n2. You can run a local secrets analysis with our [bloodhound-cli : ](https://app.securestack.com/download-cli)\n``` bloodhound-cli recon -r -a \u003capp_id\u003e ```\n\n3. You can interact with the analysis output in the SecureStack SaaS ![platform](./images/securestack-exposure-saas-view.png)\n\n## Check out our other GitHub Actions:\n1. [SecureStack Software Composition Analysis (SCA)](https://github.com/marketplace/actions/securestack-application-composition-analysis) - Scan your application for vulnerable third-party and open source libraries.\n2. [SecureStack Secret Scanning](https://github.com/marketplace/actions/securestack-secrets-analysis) - Scan your application for embedded api keys, credentials and senstive data.\n3. [SecureStack Web Vulnerability \u0026 Cloud Misconfiguration Analysis](https://github.com/marketplace/actions/securestack-web-vulnerability-analysis) - Scan your running application url for cloud misconfigurations and web vulnerabilities.\n4. [SecureStack Log4j Analysis](https://github.com/marketplace/actions/securestack-log4j-vulnerability-analysis) - Scan your application for Log4j/Log4Shell vulnerabilities.\n5. [SecureStack SBOM](https://github.com/marketplace/actions/securestack-sbom) - Create a software bill of materials (SBOM) for your application.\n6. Or, our [All-in-One GitHub Action](https://github.com/marketplace/actions/securestack-all-in-one-github-action) - We've put all of our actions together into one \"Action to rule them ALL\"!\n\nMade with 💜  by [SecureStack](https://securestack.com)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecurestackco%2Factions-exposure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecurestackco%2Factions-exposure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecurestackco%2Factions-exposure/lists"}