Home

Awesome

Salus Security Scan Action

This action utilizes Salus from Coinbase to run SAST and dependency scans.

Bundle Audit, Brakeman, NPM Audit, and Yarn Audit reports can optionally be sent to SecureDevelopment by Federacy for analysis.

Scanners supported

NameLanguage
Bundle AuditRuby
BrakemanRuby
npm auditJavaScript
yarn auditJavaScript
GosecGo
BanditPython
Cargo AuditRust
semgrepMany
PatternSearchn/a (uses Sift)

Example usage

Defaults

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/scan-action@0.1.1

Single scanner

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/scan-action@0.1.1
      with:
          active_scanners: "\n  - Brakeman"
          enforced_scanners: "\n  - Brakeman"

No enforced scanners

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/scan-action@0.1.1
      with:
          enforced_scanners: "none"

Custom configuration

on: [push]

jobs:
  salus_scan_job:
    runs-on: ubuntu-latest
    name: Salus Security Scan Example
    steps:
    - uses: actions/checkout@v1
    - name: Salus Scan
      id: salus_scan
      uses: federacy/scan-action@0.1.1
      env:
        SALUS_CONFIGURATION: "file://../salus-configuration.yaml file://config/pattern_search.yaml"

Inputs

attributedescriptiondefaultoptions
active_scannersScanners to runallBrakeman, PatternSearch, BundleAudit, NPMAudit, GoSec
enforced_scannersScanners that block buildsallBrakeman, PatternSearch, BundleAudit, NPMAudit, GoSec
report_uriWhere to send Salus reportsfile://../salus-report.jsonAny URI
report_formatWhat format to use for reportjsonjson, yaml, txt
report_verbosityWhether to enable a verbose reporttruetrue, false
salus_configurationWhere to find Salus configurationfile://../salus-configuration.yamlAny URI

Note: active_scanners and enforced_scanners must be yaml formatted for Salus configuration file.

Outputs

None.

Github Environment Variables

Stored in custom_info of a Salus scan.

KeyGithub VariableDescription
sha1GITHUB_SHAHash of last commit in build
reponameGITHUB_REPOSITORYName of repository
refGITHUB_REFRef that triggered flow (branch or tag)
ci_usernameGITHUB_ACTORGithub username of user who triggered build
github_actionGITHUB_ACTIONName of the action
github_workflowGITHUB_WORKFLOWName of the workflow
github_event_nameGITHUB_EVENT_NAMEName of the event that triggered workflow
github_event_pathGITHUB_EVENT_PATHPath of event payload
github_workspaceGITHUB_WORKSPACEWorkspace directory path
github_head_refGITHUB_HEAD_REFRef of the head repository, if forked
github_base_refGITHUB_BASE_REFRef of the base repository, if forked
github_homeHOMEPath to home directory used by Github

Sending reports to dashboard

Steps:

  1. Create free account on SecureDevelopment by Federacy
  2. Click 'Applications' in navbar
  3. Click 'Create Application'
  4. Copy example job to your workflow in .github/workflows

Contributors

Chris Czub