Skip to content

Security Scan and Comment Action

Actions
Runs various open source security tools and then comments on PRs with results
1.0.17
Latest
By SocketDev
Verified creator
Star (8)

Tags

 (2)
securitycode-review

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Security Tools Scanning

The purpose of this action is to run various security tools, process their output, and then comment the results on a PR. It is expected to only run this on PRs

Example Usage

name: Security Scan Workflow
on:
  pull_request:
    types: [opened, synchronize, edited]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: read

    steps:
      - name: Checkout code
        uses: actions/[email protected]
      
      - name: Run Security Scan and Comment Action
        uses: SocketDev/[email protected]
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

          # Enable settings
          python_sast_enabled: true
          golang_sast_enabled: true
          javascript_sast_enabled: true
          dockerfile_enabled: true
          image_enabled: true
          secret_scanning_enabled: true

          # Trivy Configuration
          docker_images: "image:latest,test/image2:latest"
          dockerfiles: "Dockerfile,relative/path/Dockerfile"

          # Exclusion settings
          trufflehog_exclude_dir: "node_modules/*,vendor,.git/*,.idea"
          trufflehog_show_unverified: False
          bandit_exclude_dir: "tests,migrations,tests,test,.venv,venv"
          bandit_rules: "B101,B102,B105,B106,B107,B110,B603,B605,B607"
          gosec_rules: "medium"
          gosec_exclude_dir: "tests,migrations,tests,test,.venv,venv"
          eslint_rules: >
            security/detect-eval-with-expression,
            security/detect-non-literal-require,
            security/detect-non-literal-fs-filename,
            security/detect-buffer-noassert,
            security/detect-new-buffer,
            security/detect-unsafe-regex,
            security/detect-disable-mustache-escape,
            security/detect-no-csrf-before-method-override,
            security/detect-pseudoRandomBytes,
            security/detect-possible-timing-attacks,
            security/detect-bidi-characters,
            security/detect-child-process,
            security/detect-non-literal-regexp,
            security/detect-object-injection

          # Log forwarding
          sumo_logic_enabled: true
          sumo_logic_http_source_url: https://example/url
          ms_sentinel_enabled: true
          ms_sentinel_workspace_id: REPLACE_ME
          ms_sentinel_shared_key: REPLACE_ME

Contributors (2)

@dacoburn@flowstate

Resources

Security Scan and Comment Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Runs various open source security tools and then comments on PRs with results
1.0.17
Latest
By SocketDev

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Tags

 (2)
securitycode-review

Contributors (2)

@dacoburn@flowstate

Resources

Security Scan and Comment Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.