- 12 Jul 2023
- 2 Minutes to read
- PDF
GitHub actions
- Updated on 12 Jul 2023
- 2 Minutes to read
- PDF
GitHub Actions is an automation and workflow tool provided by GitHub. It allows developers to automate tasks and define workflows using YAML files. Workflows are triggered by events such as code pushes or pull requests and can include a series of actions. Actions are reusable tasks that can be combined to create workflows. GitHub Actions is commonly used for continuous integration/continuous deployment (CI/CD) pipelines.
Traceable integrates with Jenkins by running security scans in staging environments. Traceable helps you by finding vulnerabilities in the early stages of SDLC, giving developers and product security engineers more time and context to prioritize the mitigation of vulnerabilities and build secure APIs. The topic explains how you can configure and use Traceable xAST CI/CD integration and how to use this to run the scan during the build step.
Before you begin
Make a note of the following before integrating GitHub actions with Traceable:
- Make sure that you have an active account and repository on GitHub.
- It is helpful if you have a basic understanding of GitHub actions and workflows. For information, see GitHub actions documentation.
Integration
Integrating Traceable xAST with GitHub workflows using GitHub actions entails finding a GitHub action, understanding the inputs and a sample GitHub action workflow.
GitHub action
All the GitHub actions by Traceable are currently available in GitHub repository. In addition, the Traceable AST actions are available in a YAML file at: https://github.com/Traceableai/ast-action/blob/main/action.yml
Understand the inputs
The following table explains the various inputs.
Input | Description |
---|---|
step_name | Scan action: init/ run/ init and run/stop. |
scan_name | The name of the scan. |
client_scan_token | Access token from Traceable Platform. You can fetch the access token by navigating to Administration () → Account → Agent token. |
cli_version | The Traceable CLI version to be used. For more information, see Traceable CLI. |
traffic_env | The environment for which AST should observe the traffic. |
plugins | List of plugins you wish to run the AST scan for. |
include_url_regex | Include the URL patterns to test. |
exclude_url_regex | Exclude URL patterns from scan. |
target_URL | Target URL for the tests. |
traceable_server | URL for the Traceable server. This is not applicable for SaaS users. |
idle_timeout | Timeout for a scan when it goes in IDLE state. |
reference_env | Reference environment from where AST should pick up the API specifications. |
max_retries | Max retries for the scan after a failure. |
Sample GitHub actions workflow
The following is a sample GitHub actions workflow which shows how you can configure the AST GitHub action.
name: Test Traceable AST Init Action And Traceable AST Run Action
on:
push:
branches:
- main
pull_request:
jobs:
AstScan:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Init scan action
uses: traceable-github-actions/traceable-ast
with:
step_name: 'init'
client_scan_token: ${{ secrets.CLIENT_SCAN_TOKEN }}
traffic_env: 'crapi-demo-1'
traceable_server: ${{ secrets.TRACEABLE_SERVER }}
- name: Run a loop as functional test (This is sample)
run: |
for ((i=1;i<=100;i++));
do
echo $i
done
- name: Run scan action
uses: traceable-github-actions/traceable-ast
with:
step_name: 'run'
client_scan_token: ${{ secrets.CLIENT_SCAN_TOKEN }}
traffic_env: 'crapi-demo-1'
cli_version: '1.0.0-rc.3'
As can be seen in the workflow above, a scan is initiated with scan action steps that takes the following as input:
- client_scan_token
- traffic_env
- traceable_server
In the next step, functional tests are executed and then runs the scan in the step after that with the following inputs:
- client_scan_token
- traffic_env
- cli_version
Triggers
GitHub workflow supports a wide range of triggers. You can read more about them at Events that trigger workflows.
Report
Following is a sample AST report once the scan is executed. The report shows various details about vulnerability category, subcategories, and severity.
You can view the report from the summary section as shown below: