Integration as Github Actions¶

Scan is available as a free GitHub action called Security and Licence Scan

A minimal setup configuration is shown below:

- uses: ShiftLeftSecurity/[email protected]
  with:
    type: "credscan,java,depscan"

An advanced configuration including the ability to cache the vulnerability database and to customize the WORKSPACE URL is below:

- name: Cache vdb
  uses: actions/[email protected]
  with:
    path: |
      ${{ github.workspace }}/vdb
    key: ${{ runner.os }}
- name: Scan
  uses: ShiftLeftSecurity/[email protected]
  env:
    VDB_HOME: ${{ github.workspace }}/vdb
    WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    SCAN_AUTO_BUILD: true
  with:
    output: reports
- name: Upload scan reports
  uses: actions/[email protected]
  with:
    name: shiftleft-scan-reports
    path: reports

Refer to this example for a complete build pipeline.

Automatic Pull Request comments¶

Scan can automatically add the summary as a comment to the GitHub Pull Requests. In addition, a status check and a label would also be created.

Customization¶

To customize the message used for the comment, create a .sastscanrc file in the repo as suggested here with the below config.

{
  "PR_COMMENT_TEMPLATE": "## Scan Summary\n%(summary)s\n## Recommendation\n%(recommendation)s\n"
}

• summary - Summary Table
• recommendation - One liner recommendation string (Hardcoded for now)

Disable comments¶

Set the environment variable SCAN_ANNOTATE_PR to false or 0 to disable this feature.