Skip to content

Latest commit

 

History

History
165 lines (118 loc) · 5.7 KB

README.md

File metadata and controls

165 lines (118 loc) · 5.7 KB
Raw

Warning

actions/upload-artifact@v3 and actions/download-artifact@v3 is scheduled for deprecation on November 30, 2024. Learn more. We've upgraded the version of @actions/artifact to 2.1.4, which now supports actions/upload-artifact@v4 and actions/download-artifact@v4. Please ensure compatibility by utilizing the v4 versions of actions/upload-artifact and actions/download-artifact.

Veracode Software Composition Analysis

Veracode Software Composition Analysis (agent-based scan) as a GitHub Action with the following actions:

  • Run the Veracode SCA similar as the script in textual output mode
  • Ability to create issues for identified vulnerabilities without creating duplicates
  • Ability to run the scan on a remote repository
  • Ability to run the scan with the --quick flag

Pull Request Decoration

If the action runs on a pull request, it will either add a comment with the scan output to the PR or it will automatically link all created GitHub issues to the PR. This will help your review process to see if the PR can be approved or not.

Inputs

❗ You will need to provide SRCCLR_API_TOKEN as an environment variable (see examples below).

❗ If using an org-level agent, you will need to provide SRCCLR_WORKSPACE_SLUG as an environment variable.

Artifacts

The run will store 2 different types of artifacts.
If create-issues is set to true the artifact will be the json output stored as scaResults.json.
If create-issues is set to false the artifact will be the text output stored as scaResults.txt.
For both the artifact name will be Veracode Agent Based SCA Results.

github_token

Required - The authorization token to allow the action to create issues.

If the default value ${{ github.token }} is not working, the token must be set on the action inputs.
You may be able to simply use ${{ secrets.GITHUB_TOKEN }} as a default option - see more details

Otherwise, you may be able create and assign as secret a Personal Access Token and assign it with the required permissions (repo scope).

create-issues

Optional - whether to create issues from found vulnerabilities

This is a boolean value attirbute

Default Value: false

url

Optional - specify a remote repository URL for scanning. It will not scan the current repository in which the workflow is running

path

Optional - a relative path for the scan to start. This attribute is useful in scenarios where the actual code is not in the root of the repository. An example would be mono repo where the repository is home for multiple projects

Default Value: . (repository root folder)

quick

Optional - run the Veracode SCA scan with --quick

Default Value: false

debug

Optional - run the Veracode SCA scan with --debug

Default Value: false

skip-collectors

Optional - run the Veracode SCA scan with the --skip-collectors attribute with comma sporated values. The available values can be found here: Scan directive (scroll down to the skip_collectors directive). Default Value: None

allow-dirty

Optional - run the Veracode SCA scan with --allow-dirty

Default Value: false

recursive

Optional - run the Veracode SCA scan with --recursive

Default Value: false

skip-vms

Optional - run the Veracode SCA scan with --skip-vms

Default Value: false

no-graphs

Optional - do not include dependency graphs in the JSON output.

Default Value: false

Examples

Scan your repository with textual output

Run a scan but do not create issues for identified vulnerabilities.

on: 
  schedule:
    - cron: 15 14 * * 6
  workflow_dispatch:

jobs:
  veracode-sca-task:
    runs-on: ubuntu-latest
    name: Scan repository with Veracode SCA

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        
      - name: Run Veracode SCA
        env:
          SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
        uses: veracode/veracode-sca@v2.1.10
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          create-issues: false

Scan the local repository

Run a quick scan on the repository and create issues for all identified vulnerabilities.

on: 
  push:
    paths-ignore:
      - "README.md"
  schedule:
    - cron: 15 14 * * 6

jobs:
  veracode-sca-task:
    runs-on: ubuntu-latest
    name: Scan repository with Veracode SCA

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        
      - name: Run Veracode SCA
        env:
          SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
        uses: veracode/veracode-sca@v2.1.10
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          quick: true
          create-issues: true

User Interface

Issues List

Issues List

Individual Issue

Individual issues ticket content

Compile the action

The action comes pre-compiled as transpiled JavaScript. If you want to fork and build it on your own you need NPM to be installed, use ncc to compile all node modules into a single file, so they don't need to be installed on every action run. The command to build is simply

ncc build ./src/action.ts