Skip to content
/ super-sast-action Public
forked from ioggstream/bandit-report-artifacts

This is a github action which can run super-sast security report on your python project

License

MIT license
3 stars 15 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DrPlumcake/super-sast-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags
 
 

Repository files navigation

Security check - super-sast-action

super-sast-action

This GitHub Action runs Super SAST, a docker image that runs several SAST checks on your code, and annotates the interested lines with the reported issues.

Super SAST repository can be checked here for a better understanding of how it works. This action implements all the tools also used by Super SAST. The version used of Super SAST container is fixed, now is:

FROM ghcr.io/par-tec/super-sast:20231115-108-746a559 as super-sast

Currently, four tools supports annotations:

  • Bandit
  • Safety
  • Checkov
  • Semgrep

Warning

If you want to enable annotations in your Pull request, you must add a token in the inputs of the action, like this:

- name: super-sast-action
      uses: DrPlumcake/super-sast-action@v1.0
      with:
        # [...]
        repo_token: ${{ secrets.GITHUB_TOKEN }}

Otherwise, the action will fail and the requests will return an error for failing the authentication.

Screenshots

The action is run in the workflow:

The interested LoC are shown in the PR

Usage

To add this Github action to your repository you can either run it copying it under your repo or via the Github Action Marketplace, eg:

name: Security check - super-sast-action

on: push

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        os: [ ubuntu-latest ]
    name: Ubuntu - ${{ matrix.os }} 

    steps:
    - uses: actions/checkout@v2

    - name: Security check - super-sast-action
      uses: DrPlumcake/super-sast-action@v1.0
      with:
        project_path: .
        ignore_failure: true
        repo_token: ${{ secrets.GITHUB_TOKEN }}

    # This is optional
    - name: Security check artifacts
      uses: actions/upload-artifact@v1
      with:
        name: Security report - super sast
        path: |
          super-sast.log
          log_dir/

Getting Started

You can include the action in your workflow to trigger on any event that GitHub actions supports. If the remote branch that you wish to deploy to doesn't already exist the action will create it for you. Your workflow will also need to include the actions/checkout step before this workflow runs in order for the deployment to work.

If you'd like to make it so the workflow only triggers on push events to specific branches then you can modify the on section.

on:
  push:
    branches:
      - master

Configuration

The with portion of the workflow must be configured before the action will work. You can add these in the with section found in the examples above. Any secrets must be referenced using the bracket syntax and stored in the GitHub repositories Settings/Secrets menu. You can learn more about setting environment variables with GitHub actions here.

Contributing

Contributions are always welcome!

This project uses pre-commit to manage git hooks. To install the hooks, run:

pre-commit install

Pre-commit will generate a CycloneDX SBOM using trivy.

To test the image, run:

docker-compose up --build test

To test the remote image (latest), run:

docker-compose up --build test-latest

License

MIT License

About

This is a github action which can run super-sast security report on your python project

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 8

v1.0 Latest
Nov 27, 2023
+ 7 releases

Packages

No packages published

Languages

  • Python 88.9%
  • Open Policy Agent 7.2%
  • Dockerfile 2.3%
  • Shell 1.6%