Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/whitesource/GitHubPackagesSecurityAction
Mend security scan action for Github package registry
https://github.com/whitesource/GitHubPackagesSecurityAction
Last synced: about 2 months ago
JSON representation
Mend security scan action for Github package registry
- Host: GitHub
- URL: https://github.com/whitesource/GitHubPackagesSecurityAction
- Owner: whitesource
- License: apache-2.0
- Created: 2019-10-29T20:32:59.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-03-06T13:46:31.000Z (7 months ago)
- Last Synced: 2024-03-26T09:32:17.046Z (6 months ago)
- Language: JavaScript
- Homepage:
- Size: 439 KB
- Stars: 64
- Watchers: 13
- Forks: 28
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Whitesource GP Security Action
This action is designed to run as part of the workflow `registry_package` [triggered event](https://help.github.com/en/github/automating-your-workflow-with-github-actions/events-that-trigger-workflows).
It scans the published/updated Docker image in GP and reports back with found security vulnerabilities and license information.
# Usage
See [action.yml](action.yml)
### Input Parameters
**gp-token**: GitHub personal access token with read/write privileges to GP. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). Required parameter.
**ws-destination-url**: WhiteSource environment destination url. Required parameter.
**ws-api-key**: WhiteSource organization api key. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). Required parameter.
**ws-user-key**: WhiteSource user key. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). Required parameter.
**ws-product-key**: WhiteSource product key to publish results to. This parameter must be a [repository secret](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables). If not specified - a default product will be created.
**print-scan-report**: Whether to print the results report as part opf the action's log. Default is false.
**actions_step_debug**: Whether to print debug logs. Default is false.
### Output Parameters
**scan-report-file-path**: Path of the scan report file.
**scan-report-folder-path**: Path of the folder of the scan report file.
### Workflow Examples
The recommended way to add this action to your workflow, is with a subsequent action that uploads the report json as an artifact. For example:
```yaml
on: registry_package
name: WORKFLOW_NAME
jobs:
gpSecurityJob:
name: GP Security Check Job
runs-on: ubuntu-latest
steps:
- name: GP Security Check Step
id: gp-security-check
uses: whitesource/[email protected]
with:
gp-token: ${{ secrets.GP_ACCESS_TOKEN }}
ws-api-key: ${{ secrets.WS_API_KEY }}
ws-user-key: ${{ secrets.WS_USER_KEY }}
ws-product-key: ${{ secrets.WS_PRODUCT_KEY }}
ws-destination-url: https://saas.whitesourcesoftware.com/agent
- name: Upload Report
uses: actions/upload-artifact@master
with:
name: security-scan-log
path: ${{ steps.gp-security-check.outputs.scan-report-folder-path }}
```
Another option is to print the scan report to the step's log, without uploading it as an artifact:
```yaml
on: registry_package
name: WORKFLOW_NAME
jobs:
gpSecurityJob:
name: GP Security Check Job
runs-on: ubuntu-latest
steps:
- name: GP Security Check Step
id: gp-security-check
uses: whitesource/[email protected]
with:
gp-token: ${{ secrets.GP_ACCESS_TOKEN }}
ws-api-key: ${{ secrets.WS_API_KEY }}
ws-user-key: ${{ secrets.WS_USER_KEY }}
ws-product-key: ${{ secrets.WS_PRODUCT_KEY }}
ws-destination-url: https://saas.whitesourcesoftware.com/agent
print-scan-report: true
```
# Scan Report File
The output is a report in json format, which includes information on vulnerabilities, license, top fixes and inventory details. For example:
```json
{
"projectVitals": {
"productName": "demo product",
"name": "demo project",
"token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
},
"libraries": [
{
"keyUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"keyId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"type": "REDHAT_PACKAGE_MODULE",
"languages": "RPM",
"references": {
"url": "http://mirror.centos.org/centos/7/os/x86_64/Packages/sqlite-3.7.17-8.el7.x86_64.rpm",
"homePage": "http://www.sqlite.org/"
},
"outdated": true,
"sha1": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"name": "sqlite.rpm",
"artifactId": "sqlite.rpm",
"version": "3.7.17-8.el7",
"groupId": "sqlite",
"licenses": [
{
"name": "Public Domain",
"url": "http://creativecommons.org/licenses/publicdomain/",
"profileInfo": {
"copyrightRiskScore": "ONE",
"patentRiskScore": "THREE",
"copyleft": "NO",
"linking": "NON_VIRAL",
"royaltyFree": "NO"
},
"referenceType": "RPM (details available in package spec file)",
"reference": "packageName\u003dsqlite\u0026url\u003dhttp://mirror.centos.org/centos/7/os/x86_64/Packages/sqlite-3.7.17-8.el7.x86_64.rpm"
}
],
"vulnerabilities": [
{
"name": "CVE-2018-8740",
"type": "CVE",
"severity": "MEDIUM",
"score": 5.0,
"cvss3_severity": "HIGH",
"cvss3_score": 7.5,
"scoreMetadataVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"publishDate": "2018-03-17",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-8740",
"description": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.",
"allFixes": [],
"references": []
}
]
}
]
}
```
# License
The scripts and documentation in this project are released under the [Apache 2.0](LICENSE) license.