-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from udit-uniyal/main
Updated README file & added action file
- Loading branch information
Showing
2 changed files
with
167 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,89 @@ | ||
| # sast-scan-action | ||
| # AccuKnox SAST GitHub Action | ||
|
|
||
| ## Learn More | ||
|
|
||
| - [About Accuknox](https://www.accuknox.com/) | ||
|
|
||
| **Description** | ||
| This GitHub Action runs a Static Application Security Testing (SAST) using SonarQube, then uploads the generated report to the AccuKnox CSPM panel. The action can be configured with specific inputs to integrate seamlessly with your DevSecOps pipeline. | ||
|
|
||
| ## Usage | ||
|
|
||
| ### Steps for Using AccuKnox SAST Scan Action in a Workflow YAML File | ||
|
|
||
| 1. **Checkout into the Repo** | ||
| Use the checkout action to ensure your codebase is available for scanning. | ||
|
|
||
| 2. **Add AccuKnox SAST Scan Action** | ||
| Use the `accuknox/[email protected]` repository with the desired version tag, e.g., `v1.0.0`. | ||
|
|
||
| 3. **Token Generation from AccuKnox SaaS and Viewing Tenant ID** | ||
| To obtain the `accuknox_token` and `tenant_id` values needed to authenticate with AccuKnox: | ||
|
|
||
| - **Navigate to Tokens** | ||
| Go to the **Settings** section in the AccuKnox SaaS sidebar. | ||
|
|
||
|  | ||
|
|
||
| - **Create Token** | ||
| In the "Tokens" section, click on **Create Token**. This action will display your `tenant_id` and allow you to generate an access token. | ||
|
|
||
|  | ||
|
|
||
| - **Generate the Token** | ||
| After clicking **Generate**, copy the `accuknox_token` to use in the workflow. | ||
|
|
||
|  | ||
|
|
||
| ### Example Workflow File | ||
|
|
||
| ```yaml | ||
| name: AccuKnox SAST Workflow | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| sast-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Run AccuKnox SAST | ||
| uses: accuknox/[email protected] | ||
| with: | ||
| sonar_token: ${{ secrets.SONAR_TOKEN }} | ||
| sonar_host_url: ${{ secrets.SONAR_HOST_URL }} | ||
| accuknox_endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }} | ||
| tenant_id: ${{ secrets.TENANT_ID }} | ||
| accuknox_token: ${{ secrets.ACCUKNOX_TOKEN }} | ||
| label: "my-sast-scan" | ||
| sonar_project_key: "my-project-key" | ||
| ``` | ||
| ## Input Values | ||
| | Input Value | Description | Optional/Required | Default Value | | ||
| |--------------------|------------------------------------------------------------|--------------------|---------------| | ||
| | `sonar_token` | Personal access token for authenticating with SonarQube. | Required | None | | ||
| | `sonar_host_url` | URL of the SonarQube server to run the SAST. | Required | None | | ||
| | `accuknox_endpoint`| AccuKnox API endpoint URL to upload the scan results. | Required | None | | ||
| | `tenant_id` | Unique ID of the tenant for AccuKnox CSPM panel. | Required | None | | ||
| | `accuknox_token` | Token for authenticating with AccuKnox API. | Required | None | | ||
| | `label` | Label in AccuKnox SaaS for tagging scan results. | Required | None | | ||
| | `sonar_project_key`| Project key in SonarQube for identifying the project. | Optional | None | | ||
|
|
||
| ## How it Works | ||
|
|
||
| - **SonarQube SAST**: The action runs a SAST scan on the specified project in SonarQube, using the provided credentials and project key. | ||
| - **AccuKnox Report Generation**: The action uses AccuKnox's Docker container to generate a SAST report. | ||
| - **Report Upload**: The generated report is uploaded to the AccuKnox CSPM panel for centralized monitoring and insights. | ||
| - **Quality Gate Check**: Verifies if the project meets the set quality standards on SonarQube. | ||
|
|
||
| ## Notes | ||
|
|
||
| - Ensure all necessary secrets (`SONAR_TOKEN`, `SONAR_HOST_URL`, `ACCUKNOX_ENDPOINT`, `TENANT_ID`, and `ACCUKNOX_TOKEN`) are securely stored in your repository's settings. | ||
| - AccuKnox panel provides a centralized view of all SAST results, enabling detailed security monitoring and analytics. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| name: AccuKnox SAST | ||
| description: Run SAST analysis and upload reports to AccuKnox Panel. | ||
| inputs: | ||
| sonar_token: | ||
| description: "Token for authenticating with SonarQube." | ||
| required: true | ||
| sonar_host_url: | ||
| description: "The SonarQube host URL." | ||
| required: true | ||
| accuknox_endpoint: | ||
| description: "The URL of the CSPM panel to push the scan results to." | ||
| required: true | ||
| tenant_id: | ||
| description: "The ID of the tenant associated with the CSPm dashboard." | ||
| required: true | ||
| accuknox_token: | ||
| description: "The token for authenticating with AccuKnox SaaS." | ||
| required: true | ||
| label: | ||
| description: "Label created in AccuKnox SaaS for associating the scan results." | ||
| required: true | ||
| sonar_project_key: | ||
| description: "The project key in SonarQube." | ||
| required: false | ||
|
|
||
| runs: | ||
| using: "composite" | ||
| steps: | ||
| - name: SonarQube Scan | ||
| uses: sonarsource/sonarqube-scan-action@master | ||
| env: | ||
| SONAR_TOKEN: ${{ inputs.sonar_token }} | ||
| SONAR_HOST_URL: ${{ inputs.sonar_host_url }} | ||
|
|
||
| - name: Run AccuKnox SAST job with Project Key | ||
| if: ${{ inputs.sonar_project_key }} | ||
| run: | | ||
| docker run --rm \ | ||
| -e SQ_URL=${{ inputs.sonar_host_url }} \ | ||
| -e SQ_AUTH_TOKEN=${{ inputs.sonar_token }} \ | ||
| -e REPORT_PATH=/app/data/ \ | ||
| -e SQ_PROJECTS="^${{ inputs.sonar_project_key }}$" \ | ||
| -v $PWD:/app/data/ \ | ||
| accuknox/sastjob:latest | ||
| shell: bash | ||
|
|
||
| - name: Run AccuKnox SAST job without Project Key | ||
| if: ${{ !inputs.sonar_project_key }} | ||
| run: | | ||
| docker run --rm \ | ||
| -e SQ_URL=${{ inputs.sonar_host_url }} \ | ||
| -e SQ_AUTH_TOKEN=${{ inputs.sonar_token }} \ | ||
| -e REPORT_PATH=/app/data/ \ | ||
| -v $PWD:/app/data/ \ | ||
| accuknox/sastjob:latest | ||
| shell: bash | ||
|
|
||
| - name: Upload SAST reports | ||
| run: | | ||
| cd ${GITHUB_WORKSPACE} | ||
| for file in `ls -1 SQ-*.json`; do | ||
| curl --location --request POST "https://${{ inputs.accuknox_endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=SQ&label_id=${{ inputs.label }}&save_to_s3=false" \ | ||
| --header "Tenant-Id: ${{ inputs.tenant_id }}" \ | ||
| --header "Authorization: Bearer ${{ inputs.accuknox_token }}" \ | ||
| --form "file=@\"$file\"" | ||
| done | ||
| shell: bash | ||
|
|
||
| - name: SonarQube Quality Gate check | ||
| id: sonarqube-quality-gate-check | ||
| uses: sonarsource/sonarqube-quality-gate-action@master | ||
| env: | ||
| SONAR_TOKEN: ${{ inputs.sonar_token }} | ||
| SONAR_HOST_URL: ${{ inputs.sonar_host_url }} | ||
|
|
||
| branding: | ||
| icon: "shield" | ||
| color: "purple" |