├── Dockerfile
├── README.md
└── action.yml


/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM public.ecr.aws/portswigger/dastardly:latest
2 | 
3 | USER root


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Dastardly Scan Action
 2 | 
 3 | This action runs a Dastardly vulnerability scan against a target site. On completion, a JUnit XML report is generated containing information about the vulnerabilities found, where
 4 | they were located, additional information about the vulnerability and links to our learning resources with suggestions on how to fix them.
 5 | 
 6 | ## About Dastardly
 7 | 
 8 | - [Dastardly](https://portswigger.net/burp/dastardly) is a free, lightweight web application security scanner for your CI/CD pipeline.
 9 | - It is designed specifically for web developers, and checks your application for [seven security issues](https://portswigger.net/burp/dastardly/scan-checks) that are likely to interest you during software development.
10 | - Dastardly is based on the same scanner as [Burp Suite](https://portswigger.net/burp) (Burp Scanner).
11 | 
12 | For full documentation on using Dastardly, please consult the [Dastardly documentation](https://portswigger.net/burp/documentation/dastardly).
13 | 
14 | Already used Dastardly? [Tell us what you think here](https://forms.gle/8Va7ombB793HqFKw5).
15 | 
16 | ## Inputs
17 | 
18 | ## `target-url`
19 | 
20 | **Required** The full URL (including scheme) of the site to scan.
21 | 
22 | ## `output-filename`
23 | 
24 | **Optional** The name of the output report file. This will be stored in the GITHUB_WORKSPACE (/github/workspace) directory.
25 | 
26 | **Default** `dastardly-report.xml`
27 | 
28 | ## Examples
29 | Below are some examples of how to use the action by running a Dastardly scan against our very own [Gin and Juice Shop](https://ginandjuice.shop) site. This is a deliberately
30 | vulnerable web application designed for testing web vulnerability scanners.
31 | 
32 | ## Basic Usage
33 | ```
34 | steps:
35 |   - name: Run Dastardly Action Step
36 |     uses: PortSwigger/dastardly-github-action@main
37 |     with:
38 |       target-url: 'https://ginandjuice.shop'
39 | ```
40 | 
41 | ## Suggested Usage
42 | Dastardly produces a JUnit XML report of the scan on completion. This report will only include vulnerability details if vulnerabilities were found by the scanner.
43 | 
44 | By default, if Dastardly finds any issue with a severity level of `LOW`, `MEDIUM`, or `HIGH`, it will fail a workflow build.
45 | 
46 | This may be fine for your use case, but you may want to consider pairing this action with a JUnit XML parser that runs whether or not the Dastardly action step succeeded. You can
47 | do this by adding `continue-on-error: true` to the Dastardly action step, or adding a condition for the parser to run regardless of success or failure.
48 | 
49 | ```
50 | steps:
51 |   - name: Run Dastardly Action Step
52 |     continue-on-error: true                        # This allows subsequent steps to run even if this step fails
53 |     uses: PortSwigger/dastardly-github-action@main
54 |     with:
55 |       target-url: 'https://ginandjuice.shop'
56 | 
57 |   # You can replace this next step with any JUnit XML parser of your choosing
58 |   - name: Publish Test Report
59 |     if: always()                                    # Forces this step to always run
60 |     uses: mikepenz/action-junit-report@v3
61 |     with:
62 |       report_paths: '**/dastardly-report.xml'       # You need to update this path if you pass in a different output filename to the Dastardly action
63 |       require_tests: true
64 | ```
65 | 
66 | We suggest passing `require_tests: true` to this parser so that your workflow will fail if it could not find your specified output file.
67 | 
68 | 
69 | Documentation for the parser used in this example can be found [here](https://github.com/marketplace/actions/junit-report-action).
70 | 


--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'Dastardly Scan Action'
 2 | description: 'Runs a Dastardly scan against a target site'
 3 | author: 'PortSwigger'
 4 | inputs:
 5 |   target-url:
 6 |     description: 'The full url (including scheme) of the site to scan'
 7 |     required: true
 8 |   output-filename:
 9 |     description: 'The filename used for the scan report. This filepath relates to the dastardly container, and will exist in the github workspace (/github/workspace)'
10 |     required: false
11 |     default: dastardly-report.xml
12 | runs:
13 |   using: 'docker'
14 |   image: 'Dockerfile'
15 |   env:
16 |     BURP_START_URL: ${{ inputs.target-url }}
17 |     BURP_REPORT_FILE_PATH: /github/workspace/${{ inputs.output-filename }}
18 | branding:
19 |   icon: 'activity'
20 |   color: 'green'
21 | 


--------------------------------------------------------------------------------