You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-6Lines changed: 18 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,9 +1,9 @@
1
1
# SecureStack GitHub Actions
2
2
3
-
A GitHub Action to execute SecureStack secrets analysis on an application code repository.
3
+
A GitHub Action to execute SecureStack application composition analysis on an application code repository. When you add this to GitHub Actions we will analyze your source code for vulnerable third party and open source libraries. It's lik "software composition analysis" but only better! This Action supports Go, Python and Javascript languages. See below for what types of issues this action scans for and what files are required.
4
4
5
5
```
6
-
name: Example Workflow Using SecureStack Action
6
+
name: Example Workflow Using SecureStack Application Composition Analysis Action
7
7
on: push
8
8
jobs:
9
9
security:
@@ -29,18 +29,30 @@ NOTE - to understand possible values for the action input `flags`, run the Secur
29
29
30
30
`$ bloodhound-cli code --help`
31
31
32
-
## Getting your SecureStack API Key
32
+
## Create your SecureStack API Key and save as GitHub Secret
33
33
34
34
1. Log in to [SecureStack](https://app.securestack.com) and go to the Profile -> GENERATE KEY screen.
35
35
2. Generate an API key and copy the value.
36
-
3. Paste into the value of a secret called SECURESTACK_API_KEY_SECRET in the GitHub repo settings.
36
+
3. Go to Settings for your GitHub repository and click on Secrets at the bottom left.
37
+
4. Create a new secret named SECURESTACK_API_KEY_SECRET and paste the value from step 2 into the field.
37
38
38
-
## Getting your SecureStack Application ID
39
+
## Retreiving your SecureStack Application ID
39
40
40
41
1. Log in to [SecureStack](https://app.securestack.com).
41
42
2. Open the application you wish to analyse.
42
43
3. Copy the value of the application id on the View Application screen.
43
44
4. Paste into the value of the `securestack_app_id` action input for the step using the SecureStack action in your workflow.
44
45
46
+
## What types of issues does this GitHub Action find?
47
+
1. Vulnerable third party libraries from place like NPM, PyPi, and Go repositories
48
+
2. Vulnerable open source libraries
49
+
3. Libraries and frameworks that have recently had ownership changes or that are malicious
50
+
51
+
## What files are necessary for this Action to work?
52
+
1. For Yarn: yarn.lock and package.json
53
+
2. For NPM: package.json and package-lock.json
54
+
3. For Go: go.dep or go.mod
55
+
4. For Python: requirements.txt
56
+
57
+
Made with 💜 by [SecureStack](https://securestack.com)
0 commit comments