DEPRECATED - This repository and the Action within are new depricated. Please use:
❗ this repository will go away by the end of 2022
Veracode Software Composition Analysis Scaning as a GitHub Action with the following actions:
- Run the Veracode SCA sca similar as the script in textual output mode
- Automatically create issues from Vulnerabilities based on given CVSS threshold
- Fail The action step based on given CVSS threshold
- Ability to run the scan on a remote repository
- Ability to run the scan with the
--quick
flag
❗ You will need to provide
SRCCLR_API_TOKEN
as environment variables. (See examples below)
Required - The authorization token to allow the action to create issues.
You may be able to simply can use the ${{ secrets.GITHUB_TOKEN }}
as a default option - see more details
Otherwise, you may be able create and assign as secret a Personal Access Token and assign it with the required permissions (repo
scope).
Optional - The minimum CVSS for creating an issue from a found vulnerability
Default Value: 0
Optional - The maximum allowed cvss in found vulnerabilities to pass the step
Default Value: 10
The step will not fail unless you explicitly specify a lower CVSS value
Value: 0
Optional - whether to create issues from found vulnerabilities
This is a boolean value attirbute
Default Value: false
Optional - specify a remote repository URL for scanning. It will not scan the current repository in which the workflow is running
Optional - a relative path for the scan to start. This attribute is useful in scenarios where the actual code is not in the root of the repository. An example would be mono repo where the repository is home for multiple projects
Default Value: .
(repository root folder)
Optional - run the Veracode SCA scan with the --quick
Default Value: false
Optional - run the Veracode SCA scan with --debug
Default Value: false
Optional - run the Veracode SCA scan with the --skip-collectors
attribute with comma sporated values.
The available values can be found here: Scan directive (scroll down to the skip_collectors
directive).
Default Value: None
Optional - run the Veracode SCA scan with --allow-dirty
Default Value: false
Optional - run the Veracode SCA scan with --recursive
Default Value: false
on:
schedule:
- cron: 15 14 * * 6
workflow_dispatch:
jobs:
veracode-sca-task:
runs-on: ubuntu-latest
name: Scan remote repository for Issues
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run Veracode SCA
env:
SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
uses: lerer/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
create-issues: false
fail-on-cvss: 1
Scan can the local repository. Fail the step and create issues if found vulnerability with CVSS greater than 1
on:
push:
paths-ignore:
- 'README.md'
schedule:
- cron: 15 14 * * 6
jobs:
veracode-sca-task:
runs-on: ubuntu-latest
name: Scan repository for Issues
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Run Veracode SCA
env:
SRCCLR_API_TOKEN: ${{ secrets.SRCCLR_API_TOKEN }}
uses: lerer/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
quick: true
create-issues: true
fail-on-cvss: 1
min-cvss-for-issue: 1