The nowsecure-action delivers fast, accurate, automated security analysis of iOS and Android apps coded in any language.
Features:
- Integrates with GitHub Advanced Security (GHAS) to display issues and remediation information inside of GitHub code scanning alerts,
- Optionally break builds that introduce new alerts,
- Run scans for each commit, or periodically,
- And more;
This action requires a NowSecure Platform license (see: User Guide).
If you are not an existing NowSecure customer and wish to enable NowSecure for your GHAS-enabled repository, please contact us.
If you are an existing NowSecure customer and have GHAS enabled for your repository, proceed with the instructions below.
- NowSecure Platform token in GitHub secrets,
- Go to "Profile & Preferences" to create a token for GitHub,
- In the repository settings, click "Secrets" then "New repository secret". Name the secret
NS_TOKEN;
- Group ID;
Click the "Security" tab in your repository (GHAS must be enabled) then "Set up code scanning" then select the NowSecure action from the marketplace and follow the listed instructions.
For an existing workflow,
The action must be run on an ubuntu-latest GitHub Action runner.
Note: For line-of-code identification,
ripgrepmust be available in the runner. For Ubuntu images, add a step forapt-get install -y ripgrep.
After the application build step run the NowSecure action and upload the SARIF to GHAS:
- name: NowSecure
uses: nowsecure/nowsecure-action@v1
timeout-minutes: 60
with:
token: ${{ secrets.NS_TOKEN }}
app_file: $APPLICATION_PATH # REPLACE: The path to an .ipa or .apk
group_id: $GROUP_ID # REPLACE: NowSecure Group ID
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: NowSecure.sarifFor a new workflow,
Add a new file called nowsecure.yml in your .github/workflows folder and review the example.
This project is released under the MIT License.
NowSecure Platform, used in this action, has separate Terms and Conditions and requires a valid license to function.