{"id":13825771,"url":"https://github.com/whitesource/GitHubPackagesSecurityAction","last_synced_at":"2025-07-08T22:32:19.380Z","repository":{"id":45342908,"uuid":"218378212","full_name":"whitesource/GitHubPackagesSecurityAction","owner":"whitesource","description":"Mend security scan action for Github package registry ","archived":false,"fork":false,"pushed_at":"2024-03-06T13:46:31.000Z","size":450,"stargazers_count":64,"open_issues_count":4,"forks_count":28,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-03-26T09:32:17.046Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/whitesource.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-29T20:32:59.000Z","updated_at":"2024-07-17T07:11:36.991Z","dependencies_parsed_at":"2024-01-18T04:07:03.833Z","dependency_job_id":"2c0eec07-afde-4ed1-b668-f287a904a9c5","html_url":"https://github.com/whitesource/GitHubPackagesSecurityAction","commit_stats":{"total_commits":9,"total_committers":2,"mean_commits":4.5,"dds":0.2222222222222222,"last_synced_commit":"71f6f4fc1b85615df665c24400572964e2c4cc4f"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitesource%2FGitHubPackagesSecurityAction","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitesource%2FGitHubPackagesSecurityAction/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitesource%2FGitHubPackagesSecurityAction/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/whitesource%2FGitHubPackagesSecurityAction/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/whitesource","download_url":"https://codeload.github.com/whitesource/GitHubPackagesSecurityAction/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224951401,"owners_count":17397391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T09:01:26.807Z","updated_at":"2024-11-20T04:30:51.119Z","avatar_url":"https://github.com/whitesource.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# Whitesource GP Security Action\nThis action is designed to run as part of the workflow `registry_package` [triggered event](https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows).\n\nIt scans the published/updated Docker image in GP and reports back with found security vulnerabilities and license information.\n\n# Usage\nSee [action.yml](action.yml)\n\n### Input Parameters\n**gp-token**: GitHub personal access token with read/write privileges to GP. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). Required parameter.\n\n**ws-destination-url**: WhiteSource environment destination url. Required parameter.\n\n**ws-api-key**: WhiteSource organization api key. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). Required parameter.\n\n**ws-user-key**: WhiteSource user key. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). Required parameter.\n\n**ws-product-key**: WhiteSource product key to publish results to. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). If not specified - a default product will be created.\n\n**print-scan-report**: Whether to print the results report as part opf the action's log. Default is false.\n\n**actions_step_debug**: Whether to print debug logs. Default is false.\n\n### Output Parameters\n**scan-report-file-path**: Path of the scan report file.\n\n**scan-report-folder-path**: Path of the folder of the scan report file.\n\n### Workflow Examples\nThe recommended way to add this action to your workflow, is with a subsequent action that uploads the report json as an artifact. For example:\n```yaml\non: registry_package\nname: WORKFLOW_NAME\njobs:\n  gpSecurityJob:\n    name: GP Security Check Job\n    runs-on: ubuntu-latest\n    steps:\n      - name: GP Security Check Step\n        id: gp-security-check\n        uses: whitesource/GitHubPackagesSecurityAction@19.10.2\n        with:\n          gp-token: ${{ secrets.GP_ACCESS_TOKEN }}\n          ws-api-key: ${{ secrets.WS_API_KEY }}\n          ws-user-key: ${{ secrets.WS_USER_KEY }}\n          ws-product-key: ${{ secrets.WS_PRODUCT_KEY }}\n          ws-destination-url: https://saas.whitesourcesoftware.com/agent\n      - name: Upload Report\n        uses: actions/upload-artifact@master\n        with:\n          name: security-scan-log\n          path: ${{ steps.gp-security-check.outputs.scan-report-folder-path }}\n```\n\nAnother option is to print the scan report to the step's log, without uploading it as an artifact:\n```yaml\non: registry_package\nname: WORKFLOW_NAME\njobs:\n  gpSecurityJob:\n    name: GP Security Check Job\n    runs-on: ubuntu-latest\n    steps:\n      - name: GP Security Check Step\n        id: gp-security-check\n        uses: whitesource/GitHubPackagesSecurityAction@19.10.2\n        with:\n          gp-token: ${{ secrets.GP_ACCESS_TOKEN }}\n          ws-api-key: ${{ secrets.WS_API_KEY }}\n          ws-user-key: ${{ secrets.WS_USER_KEY }}\n          ws-product-key: ${{ secrets.WS_PRODUCT_KEY }}\n          ws-destination-url: https://saas.whitesourcesoftware.com/agent\n          print-scan-report: true\n```\n\n\n# Scan Report File\nThe output is a report in json format, which includes information on vulnerabilities, license, top fixes and inventory details. For example:\n```json\n{\n  \"projectVitals\": {\n    \"productName\": \"demo product\",\n    \"name\": \"demo project\",\n    \"token\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\n  },\n  \"libraries\": [\n    {\n      \"keyUuid\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\n      \"keyId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\n      \"type\": \"REDHAT_PACKAGE_MODULE\",\n      \"languages\": \"RPM\",\n      \"references\": {\n        \"url\": \"http://mirror.centos.org/centos/7/os/x86_64/Packages/sqlite-3.7.17-8.el7.x86_64.rpm\",\n        \"homePage\": \"http://www.sqlite.org/\"\n      },\n      \"outdated\": true,\n      \"sha1\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\n      \"name\": \"sqlite.rpm\",\n      \"artifactId\": \"sqlite.rpm\",\n      \"version\": \"3.7.17-8.el7\",\n      \"groupId\": \"sqlite\",\n      \"licenses\": [\n        {\n          \"name\": \"Public Domain\",\n          \"url\": \"http://creativecommons.org/licenses/publicdomain/\",\n          \"profileInfo\": {\n            \"copyrightRiskScore\": \"ONE\",\n            \"patentRiskScore\": \"THREE\",\n            \"copyleft\": \"NO\",\n            \"linking\": \"NON_VIRAL\",\n            \"royaltyFree\": \"NO\"\n          },\n          \"referenceType\": \"RPM (details available in package spec file)\",\n          \"reference\": \"packageName\\u003dsqlite\\u0026url\\u003dhttp://mirror.centos.org/centos/7/os/x86_64/Packages/sqlite-3.7.17-8.el7.x86_64.rpm\"\n        }\n      ],\n      \"vulnerabilities\": [\n        {\n          \"name\": \"CVE-2018-8740\",\n          \"type\": \"CVE\",\n          \"severity\": \"MEDIUM\",\n          \"score\": 5.0,\n          \"cvss3_severity\": \"HIGH\",\n          \"cvss3_score\": 7.5,\n          \"scoreMetadataVector\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n          \"publishDate\": \"2018-03-17\",\n          \"url\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name\\u003dCVE-2018-8740\",\n          \"description\": \"In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.\",\n          \"allFixes\": [],\n          \"references\": []\n        }\n      ]\n    }\n  ]\n}\n```\n\n# License\n\nThe scripts and documentation in this project are released under the [Apache 2.0](LICENSE) license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwhitesource%2FGitHubPackagesSecurityAction","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwhitesource%2FGitHubPackagesSecurityAction","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwhitesource%2FGitHubPackagesSecurityAction/lists"}