Skip to content

Commit

Permalink
SCAN-5473 : Add initial local scanner action.
Browse files Browse the repository at this point in the history
  • Loading branch information
steviemul committed Jan 18, 2024
1 parent e42ff99 commit d842d1a
Show file tree
Hide file tree
Showing 22 changed files with 12,498 additions and 4 deletions.
11 changes: 11 additions & 0 deletions .eslintrc.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"env": {
"es2021": true,
"node": true
},
"extends": ["eslint:recommended", "prettier"],
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module"
}
}
16 changes: 16 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Lines starting with '#' are comments.
# Each line is a file pattern followed by one or more owners.

# More details are here: https://help.github.com/articles/about-codeowners/

# The '*' pattern is global owners.

# Order is important. The last matching pattern has the most precedence.
# The folders are ordered as follows:

# In each subsection folders are ordered first by depth, then alphabetically.
# This should make it easy to add new rules without breaking existing ones.

# Global rule:
# SAST Developers
* @Contrast-Security-OSS/sast-admins
55 changes: 55 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Release local scanner action

on:
push:
branches:
- 'main'

permissions:
contents: write

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install modules
run: npm ci
- name: eslint
run: npm run lint:check

build-action-docker-image:
needs: [ lint ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build local scanner action image
run: |
docker build .
verify-action:
runs-on: ubuntu-latest
needs: [ build-action-docker-image ]
steps:
- uses: actions/checkout@v3
- uses : ./
name: Run action against repoository
with:
apiUrl: ${{ secrets.CONTRAST__API__URL }}
apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
severity: medium
path: src

release:
runs-on: ubuntu-latest
needs: [ test-action ]
steps:
- uses: actions/checkout@v3
- name: Install modules
run: npm run ci
- name: release
run: npm run release

47 changes: 47 additions & 0 deletions .github/workflows/validate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Validate local scanner action

on:
push:
branches:
- '*'
- '!main'

permissions:
contents: read
checks: write

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install modules
run: npm ci
- name: eslint
run: npm run lint:check

build-action-docker-image:
needs: [ lint ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build local scanner action image
run: |
docker build .
verify-action:
runs-on: ubuntu-latest
needs: [ build-action-docker-image ]
steps:
- uses: actions/checkout@v3
- uses : ./
name: Run action against repoository
with:
apiUrl: ${{ secrets.CONTRAST__API__URL }}
apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
checks: true
severity: medium
path: src
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
node_modules
.vscode
11 changes: 11 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
FROM alpine:3.19

RUN apk upgrade && \
apk add nodejs npm openjdk11-jre-headless tar

COPY package.json /contrast-local-scanner/package.json
RUN cd /contrast-local-scanner && npm i --production

COPY src /contrast-local-scanner/src

ENTRYPOINT ["node", "/contrast-local-scanner/src/index.js"]
4 changes: 2 additions & 2 deletions LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright [yyyy] [name of copyright owner]
Copyright [2024] [Contrast Security, Inc]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand All @@ -198,4 +198,4 @@
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.
122 changes: 120 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,120 @@
# contrast-local-scan-action
Contrast Local Scanner Github action
# Use Contrast Local Scanner to analyze your code

This GitHub action lets you use Contrast Local Scanner to detect vulnerabilities in your code without uploading your code to Contrast's servers.

## Supported Languages
- ASP.NET
- C
- C#
- C++
- COBOL
- GO
- HTML
- Java
- JavaScript/TypeScript
- JSP
- Kotlin
- PHP
- Python
- Scala
- VB.NET

## **Initial steps for using the action**
If you are not familiar with GitHub actions read the
[GitHub Actions](https://docs.github.com/en/actions) documentation to learn what GitHub Actions are and how to set them
up. After which, complete the following steps:

1. Configure the following GitHub secrets

- CONTRAST__API__API_KEY
- CONTRAST__API__ORGANIZATION
- CONTRAST__API__SERVICE_KEY
- CONTRAST__API__USER_NAME
- CONTRAST__API__URL

![secrets](https://github.com/Contrast-Security-OSS/contrast-local-scan-action/assets/6448060/a40f01a3-b179-4837-abd2-df91a5a220fb)

2. Get your authentication details for the secrets from the 'User Settings' menu in the Contrast web interface: You will need the following

- Organization ID
- Your API key
- Service key
- User name
- You will also need the URL of your Contrast UI host. This input includes the protocol section of the URL (https://).

![credentials](https://github.com/Contrast-Security-OSS/contrast-local-scan-action/assets/6448060/7a123c22-1f5f-4091-90d3-f297959d1e20)

3. Create a workflow, or update an existing one to run this action against your code (for example, on push)

```yaml
name: Scan with local scanner

on:
push:
branches:
- 'main'

permissions:
contents: read

jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: Contrast-Security-OSS/[email protected]
with:
apiUrl: ${{ secrets.CONTRAST__API__URL }}
apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
```
4. To fail the step based on vulnerabilities being found at a severity or higher, set the severity option to one of critical, high, medium, low, note.
*Note: this is based on the aggregated vulnerabilities found at the project level.*
```yaml
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: Contrast-Security-OSS/[email protected]
with:
apiUrl: ${{ secrets.CONTRAST__API__URL }}
apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
severity: high
```
5. To add GitHub checks to the current commit (e.g. the current PR), set the checks option to true.
*Note: You need the checks: write permission to be set if enabling this.*
![checks](https://github.com/Contrast-Security-OSS/contrast-local-scan-action/assets/6448060/d39d14c4-1f05-4ac6-8e3d-c09912ed9559)
## Required Inputs
- apiUserName : A valid user name from the Contrast platform.
- apiKey : An API key from the Contrast platform.
- apiServiceKey : An API Service Key from the Contrast platform
- apiOrgId : The ID of your organization in Contrast.
## Optional Inputs
- apiUrl : Url of your Contrast instance, defaults to https://app.contrastsecurity.com/
- checks : If set, GitHub checks will be added to the current commit based on any vulnerabilities found.
- codeQuality : Passes the -q option to the Contrast local scanner to include code quality rules in the scan.
- label : Label to associate with the current scan. Defaults to the current ref e.g. **refs/heads/main**
- memory : Memory setting passed to the underlying scan engine. Defaulted to 2g.
- path : Path to scan with Contrast local scanner. Defaults to the current repository path.
- projectName : Project to associate scan with. Defaults to current GitHub repository name e.g. **Contrast-Security-OSS/contrast-local-scan-action**
- resourceGroup : Passes the -r option to the Contrast local scanner to associate newly created projects with the specified resource group.
- severity : Set this to cause the build to fail if vulnerabilities are found at this severity or higher. Valid values are critical, high, medium, low, note.
62 changes: 62 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: Contrast Local Scan
description: Runs Contrast local scanner against the current repository
inputs:
apiUrl: # id of input
description: Url of your contrast instance, defaults to https://app.contrastsecurity.com/
required: true
default: 'https://app.contrastsecurity.com/'
apiUserName:
description: User name for authentication
required: true
apiKey:
description: API Key from user settings
required: true
apiServiceKey:
description: Service Key from user settings
required: true
apiOrgId:
description: Organization ID from user settings
required: true
checks:
description: >
If set, checks will be added to the current commit based on any vulnerabilities found.
Requires the 'checks: write' permission.
required: false
default: false
codeQuality:
description: Set this to true to include code quality rules when executing source code scanner.
required: false
default: false
label:
description: Label to associate with the current scan. Defaults to the current ref e.g. refs/heads/main
memory:
description: Memory setting passed to the underlying scan engine. Defaulted to 2g
required: false
path:
description: Path to scan with local scanner. Defaults to the current repository path.
required: false
projectName:
description: Project to associate scan with. Defaults to current github repository name e.g. Example-ORG/example-repo
required: false
resourceGroup:
description: Resource group to assign newly created projects to.
required: false
strategy:
description: >
Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project
vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
required: false
default: "project"
severity:
description: >
Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher.
Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
required: false
token:
description: >
GitHub token for GitHub API requests. Defaults to GITHUB_TOKEN.
required: true
default: ${{ github.token }}
runs:
using: 'docker'
image: 'Dockerfile'
Loading

0 comments on commit d842d1a

Please sign in to comment.