├── importer ├── importer │ ├── __init__.py │ ├── file_upload_sbom.py │ ├── file_upload_observations.py │ ├── check_security_gate.py │ ├── environment.py │ └── secobserve_api.py ├── requirements.txt ├── .gitignore ├── .dockerignore ├── bin │ ├── file_upload_sbom.sh │ ├── check_security_gate.sh │ └── file_upload_observations.sh └── setup.cfg ├── vulnerability_scanner ├── vulnerability_scanner │ ├── __init__.py │ ├── requirements.txt │ ├── scan_vulnerabilities.py │ └── configuration.py ├── .gitignore ├── bin │ └── scan_vulnerabilities.sh └── setup.cfg ├── docker ├── entrypoints │ ├── entrypoint_upload_sbom.sh │ ├── entrypoint_importer.sh │ ├── entrypoint_check_security_gate.sh │ ├── entrypoint_vulnerability_scanner.sh │ ├── entrypoint_tfsec.sh │ ├── entrypoint_trivy_image_secrets.sh │ ├── entrypoint_cryptolyzer.sh │ ├── entrypoint_grype_sbom.sh │ ├── entrypoint_grype_image.sh │ ├── entrypoint_bandit.sh │ ├── entrypoint_trivy_config.sh │ ├── entrypoint_checkov.sh │ ├── entrypoint_trivy_image.sh │ ├── entrypoint_trivy_filesystem_secrets.sh │ ├── entrypoint_gitleaks.sh │ ├── entrypoint_semgrep.sh │ ├── entrypoint_drheader.sh │ ├── entrypoint_trivy_filesystem.sh │ ├── entrypoint_kics.sh │ └── entrypoint_eslint.sh ├── drheader │ ├── drheader-1.7.0-py2.py3-none-any.whl │ └── rules.yml ├── requirements_checkov.txt ├── requirements.txt └── Dockerfile ├── dev ├── templates │ ├── check_security_gate.yml │ ├── importer.yml │ ├── upload_sbom.yml │ ├── upload_observations.yml │ ├── vulnerability_scanner.yml │ ├── SCA │ │ ├── grype_sbom.yml │ │ ├── grype_image.yml │ │ ├── trivy_image.yml │ │ └── trivy_filesystem.yml │ ├── SAST │ │ ├── kics.yml │ │ ├── tfsec.yml │ │ ├── bandit.yml │ │ ├── checkov.yml │ │ ├── eslint.yml │ │ ├── semgrep.yml │ │ └── trivy_config.yml │ ├── secrets │ │ ├── gitleaks.yml │ │ ├── trivy_image_secrets.yml │ │ └── trivy_filesystem_secrets.yml │ └── DAST │ │ ├── cryptolyzer.yml │ │ ├── zap.yml │ │ └── drheader.yml └── actions │ ├── vulnerability_scanner │ └── action.yaml │ ├── check_security_gate │ └── action.yaml │ ├── upload_sbom │ └── action.yaml │ ├── upload_observations │ └── action.yaml │ ├── DAST │ ├── cryptolyzer │ │ └── action.yaml │ ├── zap │ │ └── action.yaml │ └── drheader │ │ └── action.yaml │ ├── secrets │ ├── gitleaks │ │ └── action.yaml │ ├── trivy_image_secrets │ │ └── action.yaml │ └── trivy_filesystem_secrets │ │ └── action.yaml │ ├── importer │ └── action.yaml │ ├── SAST │ ├── bandit │ │ └── action.yaml │ ├── tfsec │ │ └── action.yaml │ ├── checkov │ │ └── action.yaml │ ├── eslint │ │ └── action.yaml │ ├── trivy_config │ │ └── action.yaml │ ├── kics │ │ └── action.yaml │ └── semgrep │ │ └── action.yaml │ └── SCA │ ├── grype_image │ └── action.yaml │ ├── grype_sbom │ └── action.yaml │ ├── trivy_image │ └── action.yaml │ └── trivy_filesystem │ └── action.yaml ├── templates ├── check_security_gate.yml ├── importer.yml ├── upload_sbom.yml ├── upload_observations.yml ├── vulnerability_scanner.yml ├── SCA │ ├── grype_sbom.yml │ ├── grype_image.yml │ ├── trivy_image.yml │ └── trivy_filesystem.yml ├── SAST │ ├── kics.yml │ ├── tfsec.yml │ ├── bandit.yml │ ├── checkov.yml │ ├── eslint.yml │ ├── semgrep.yml │ └── trivy_config.yml ├── secrets │ ├── gitleaks.yml │ ├── trivy_image_secrets.yml │ └── trivy_filesystem_secrets.yml └── DAST │ ├── drheader.yml │ ├── cryptolyzer.yml │ └── zap.yml ├── actions ├── vulnerability_scanner │ └── action.yaml ├── check_security_gate │ └── action.yaml ├── upload_sbom │ └── action.yaml ├── upload_observations │ └── action.yaml ├── DAST │ ├── cryptolyzer │ │ └── action.yaml │ ├── zap │ │ └── action.yaml │ └── drheader │ │ └── action.yaml ├── secrets │ ├── gitleaks │ │ └── action.yaml │ ├── trivy_image_secrets │ │ └── action.yaml │ └── trivy_filesystem_secrets │ │ └── action.yaml ├── importer │ └── action.yaml ├── SAST │ ├── bandit │ │ └── action.yaml │ ├── tfsec │ │ └── action.yaml │ ├── checkov │ │ └── action.yaml │ ├── eslint │ │ └── action.yaml │ ├── trivy_config │ │ └── action.yaml │ ├── kics │ │ └── action.yaml │ └── semgrep │ │ └── action.yaml └── SCA │ ├── grype_image │ └── action.yaml │ ├── grype_sbom │ └── action.yaml │ ├── trivy_image │ └── action.yaml │ └── trivy_filesystem │ └── action.yaml ├── docker_zap ├── entrypoints │ └── entrypoint_zap.sh └── Dockerfile ├── renovate.json ├── LICENSE.txt ├── .github └── workflows │ ├── build_push_dev.yml │ └── build_push_latest.yml ├── CODE_OF_CONDUCT.md └── README.md /importer/importer/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /importer/requirements.txt: -------------------------------------------------------------------------------- 1 | requests==2.32.5 2 | -------------------------------------------------------------------------------- /vulnerability_scanner/vulnerability_scanner/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /vulnerability_scanner/vulnerability_scanner/requirements.txt: -------------------------------------------------------------------------------- 1 | PyYAML==6.0.3 2 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_upload_sbom.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | source file_upload_sbom.sh 4 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_importer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | source file_upload_observations.sh 4 | -------------------------------------------------------------------------------- /vulnerability_scanner/.gitignore: -------------------------------------------------------------------------------- 1 | */__pycache__/* 2 | env-file.txt 3 | data/ 4 | coverage_data/ 5 | dist 6 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_check_security_gate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | source check_security_gate.sh 4 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_vulnerability_scanner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | source scan_vulnerabilities.sh 4 | -------------------------------------------------------------------------------- /importer/.gitignore: -------------------------------------------------------------------------------- 1 | */__pycache__/* 2 | env-file.txt 3 | data/ 4 | coverage_data/ 5 | dd_import_stefanf.egg-info 6 | dd_import.egg-info 7 | dist 8 | -------------------------------------------------------------------------------- /docker/drheader/drheader-1.7.0-py2.py3-none-any.whl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SecObserve/secobserve_actions_templates/HEAD/docker/drheader/drheader-1.7.0-py2.py3-none-any.whl -------------------------------------------------------------------------------- /docker/requirements_checkov.txt: -------------------------------------------------------------------------------- 1 | # Checkov 2 | # ---------------------------------------------------------------- 3 | checkov==3.2.495 # https://github.com/bridgecrewio/checkov 4 | -------------------------------------------------------------------------------- /importer/.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | .github 3 | coverage_data 4 | data 5 | docker 6 | **/__pycache__ 7 | env-file.txt 8 | dd_import_stefanf.egg-info 9 | dd_import.egg-info 10 | distproject.toml 11 | setup.cfg 12 | -------------------------------------------------------------------------------- /importer/bin/file_upload_sbom.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | source /.venv/bin/activate 3 | export PYTHONPATH="$VIRTUAL_ENV/lib/python3.13/site-packages:/usr/local/importer" 4 | python -m importer.file_upload_sbom 5 | deactivate 6 | -------------------------------------------------------------------------------- /importer/bin/check_security_gate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | source /.venv/bin/activate 3 | export PYTHONPATH="$VIRTUAL_ENV/lib/python3.13/site-packages:/usr/local/importer" 4 | python -m importer.check_security_gate 5 | deactivate 6 | -------------------------------------------------------------------------------- /importer/bin/file_upload_observations.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | source /.venv/bin/activate 3 | export PYTHONPATH="$VIRTUAL_ENV/lib/python3.13/site-packages:/usr/local/importer" 4 | python -m importer.file_upload_observations 5 | deactivate 6 | -------------------------------------------------------------------------------- /vulnerability_scanner/bin/scan_vulnerabilities.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | source /.venv/bin/activate 3 | export PYTHONPATH="$VIRTUAL_ENV/lib/python3.13/site-packages:/usr/local/vulnerability_scanner" 4 | python -m vulnerability_scanner.scan_vulnerabilities 5 | deactivate 6 | -------------------------------------------------------------------------------- /dev/templates/check_security_gate.yml: -------------------------------------------------------------------------------- 1 | .check_security_gate: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: post_test 5 | variables: 6 | GIT_STRATEGY: none 7 | script: 8 | - /entrypoints/entrypoint_check_security_gate.sh 9 | -------------------------------------------------------------------------------- /dev/templates/importer.yml: -------------------------------------------------------------------------------- 1 | .importer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: upload 5 | variables: 6 | GIT_STRATEGY: none 7 | script: 8 | - /entrypoints/entrypoint_importer.sh 9 | allow_failure: true 10 | -------------------------------------------------------------------------------- /templates/check_security_gate.yml: -------------------------------------------------------------------------------- 1 | .check_security_gate: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: post_test 5 | variables: 6 | GIT_STRATEGY: none 7 | script: 8 | - /entrypoints/entrypoint_check_security_gate.sh 9 | -------------------------------------------------------------------------------- /templates/importer.yml: -------------------------------------------------------------------------------- 1 | .importer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: upload 5 | variables: 6 | GIT_STRATEGY: none 7 | script: 8 | - /entrypoints/entrypoint_importer.sh 9 | allow_failure: true 10 | -------------------------------------------------------------------------------- /dev/templates/upload_sbom.yml: -------------------------------------------------------------------------------- 1 | .importer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: upload 5 | variables: 6 | GIT_STRATEGY: none 7 | script: 8 | - /entrypoints/entrypoint_upload_sbom.sh 9 | allow_failure: true 10 | -------------------------------------------------------------------------------- /templates/upload_sbom.yml: -------------------------------------------------------------------------------- 1 | .importer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: upload 5 | variables: 6 | GIT_STRATEGY: none 7 | script: 8 | - /entrypoints/entrypoint_upload_sbom.sh 9 | allow_failure: true 10 | -------------------------------------------------------------------------------- /dev/templates/upload_observations.yml: -------------------------------------------------------------------------------- 1 | .importer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: upload 5 | variables: 6 | GIT_STRATEGY: none 7 | SO_SUPPRESS_LICENSES: true 8 | script: 9 | - /entrypoints/entrypoint_importer.sh 10 | allow_failure: true 11 | -------------------------------------------------------------------------------- /templates/upload_observations.yml: -------------------------------------------------------------------------------- 1 | .importer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: upload 5 | variables: 6 | GIT_STRATEGY: none 7 | SO_SUPPRESS_LICENSES: true 8 | script: 9 | - /entrypoints/entrypoint_importer.sh 10 | allow_failure: true 11 | -------------------------------------------------------------------------------- /dev/templates/vulnerability_scanner.yml: -------------------------------------------------------------------------------- 1 | .vulnerability_scanner: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | script: 5 | - /entrypoints/entrypoint_vulnerability_scanner.sh 6 | interruptible: true 7 | allow_failure: true 8 | artifacts: 9 | when: always 10 | paths: 11 | - ./*.json 12 | - ./*sarif 13 | -------------------------------------------------------------------------------- /templates/vulnerability_scanner.yml: -------------------------------------------------------------------------------- 1 | .vulnerability_scanner: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | script: 5 | - /entrypoints/entrypoint_vulnerability_scanner.sh 6 | interruptible: true 7 | allow_failure: true 8 | artifacts: 9 | when: always 10 | paths: 11 | - ./*.json 12 | - ./*sarif 13 | -------------------------------------------------------------------------------- /dev/templates/SCA/grype_sbom.yml: -------------------------------------------------------------------------------- 1 | .grype_image: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | SO_UPLOAD: "true" 8 | script: 9 | - /entrypoints/entrypoint_grype_sbom.sh 10 | interruptible: true 11 | allow_failure: true 12 | artifacts: 13 | when: always 14 | paths: 15 | - "$REPORT_NAME" 16 | -------------------------------------------------------------------------------- /templates/SCA/grype_sbom.yml: -------------------------------------------------------------------------------- 1 | .grype_image: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | SO_UPLOAD: "true" 8 | script: 9 | - /entrypoints/entrypoint_grype_sbom.sh 10 | interruptible: true 11 | allow_failure: true 12 | artifacts: 13 | when: always 14 | paths: 15 | - "$REPORT_NAME" 16 | -------------------------------------------------------------------------------- /dev/templates/SAST/kics.yml: -------------------------------------------------------------------------------- 1 | .kics: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_kics.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/kics.yml: -------------------------------------------------------------------------------- 1 | .kics: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_kics.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SAST/tfsec.yml: -------------------------------------------------------------------------------- 1 | .kics: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_tfsec.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/tfsec.yml: -------------------------------------------------------------------------------- 1 | .kics: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_tfsec.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SAST/bandit.yml: -------------------------------------------------------------------------------- 1 | .bandit: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_bandit.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SAST/checkov.yml: -------------------------------------------------------------------------------- 1 | .checkov: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_checkov.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SAST/eslint.yml: -------------------------------------------------------------------------------- 1 | .eslint: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_eslint.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SAST/semgrep.yml: -------------------------------------------------------------------------------- 1 | .semgrep: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_semgrep.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/bandit.yml: -------------------------------------------------------------------------------- 1 | .bandit: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_bandit.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/checkov.yml: -------------------------------------------------------------------------------- 1 | .checkov: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_checkov.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/eslint.yml: -------------------------------------------------------------------------------- 1 | .eslint: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_eslint.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/semgrep.yml: -------------------------------------------------------------------------------- 1 | .semgrep: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_semgrep.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/secrets/gitleaks.yml: -------------------------------------------------------------------------------- 1 | .gitleaks: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_gitleaks.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/secrets/gitleaks.yml: -------------------------------------------------------------------------------- 1 | .gitleaks: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_gitleaks.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SAST/trivy_config.yml: -------------------------------------------------------------------------------- 1 | .kics: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_config.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SCA/grype_image.yml: -------------------------------------------------------------------------------- 1 | .grype_image: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_grype_image.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SCA/trivy_image.yml: -------------------------------------------------------------------------------- 1 | .trivy_image: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_image.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/DAST/drheader.yml: -------------------------------------------------------------------------------- 1 | .drheader: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: post_deploy 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_drheader.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SAST/trivy_config.yml: -------------------------------------------------------------------------------- 1 | .kics: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_config.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SCA/grype_image.yml: -------------------------------------------------------------------------------- 1 | .grype_image: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_grype_image.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SCA/trivy_image.yml: -------------------------------------------------------------------------------- 1 | .trivy_image: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_image.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/DAST/cryptolyzer.yml: -------------------------------------------------------------------------------- 1 | .cryptolyzer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: post_deploy 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_cryptolyzer.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/DAST/cryptolyzer.yml: -------------------------------------------------------------------------------- 1 | .cryptolyzer: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: post_deploy 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_cryptolyzer.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/SCA/trivy_filesystem.yml: -------------------------------------------------------------------------------- 1 | .trivy_filesystem: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_filesystem.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/SCA/trivy_filesystem.yml: -------------------------------------------------------------------------------- 1 | .trivy_filesystem: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_filesystem.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/DAST/zap.yml: -------------------------------------------------------------------------------- 1 | .zap: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners-zap:dev 4 | stage: post_deploy 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SCRIPT: "zap-baseline.py" 9 | SO_UPLOAD: "true" 10 | script: 11 | - /entrypoints/entrypoint_zap.sh 12 | interruptible: true 13 | allow_failure: true 14 | artifacts: 15 | when: always 16 | paths: 17 | - "$REPORT_NAME" 18 | -------------------------------------------------------------------------------- /templates/DAST/zap.yml: -------------------------------------------------------------------------------- 1 | .zap: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners-zap:2025_12 4 | stage: post_deploy 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SCRIPT: "zap-baseline.py" 9 | SO_UPLOAD: "true" 10 | script: 11 | - /entrypoints/entrypoint_zap.sh 12 | interruptible: true 13 | allow_failure: true 14 | artifacts: 15 | when: always 16 | paths: 17 | - "$REPORT_NAME" 18 | -------------------------------------------------------------------------------- /dev/templates/DAST/drheader.yml: -------------------------------------------------------------------------------- 1 | .drheader: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: post_deploy 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | RULES: "/rules.yml" 9 | SO_UPLOAD: "true" 10 | script: 11 | - /entrypoints/entrypoint_drheader.sh 12 | interruptible: true 13 | allow_failure: true 14 | artifacts: 15 | when: always 16 | paths: 17 | - "$REPORT_NAME" 18 | -------------------------------------------------------------------------------- /dev/templates/secrets/trivy_image_secrets.yml: -------------------------------------------------------------------------------- 1 | .trivy_image_secrets: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_image_secrets.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/secrets/trivy_image_secrets.yml: -------------------------------------------------------------------------------- 1 | .trivy_image_secrets: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | GIT_STRATEGY: none 7 | FURTHER_PARAMETERS: "" 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_image_secrets.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /dev/templates/secrets/trivy_filesystem_secrets.yml: -------------------------------------------------------------------------------- 1 | .trivy_filesystem_secrets: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:dev 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_filesystem_secrets.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /templates/secrets/trivy_filesystem_secrets.yml: -------------------------------------------------------------------------------- 1 | .trivy_filesystem_secrets: 2 | image: 3 | name: ghcr.io/secobserve/secobserve-scanners:2025_12 4 | stage: test 5 | variables: 6 | FURTHER_PARAMETERS: "" 7 | RUN_DIRECTORY: "." 8 | SO_UPLOAD: "true" 9 | script: 10 | - /entrypoints/entrypoint_trivy_filesystem_secrets.sh 11 | interruptible: true 12 | allow_failure: true 13 | artifacts: 14 | when: always 15 | paths: 16 | - "$REPORT_NAME" 17 | -------------------------------------------------------------------------------- /actions/vulnerability_scanner/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Vulnerability Scanner' 2 | description: 'Invokes several vunerability scanners' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_configuration: 7 | description: 'The YAML file with the configuration for the vulnerability scanners.' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the import.' 11 | required: true 12 | 13 | runs: 14 | using: 'docker' 15 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 16 | entrypoint: '/entrypoints/entrypoint_vulnerability_scanner.sh' 17 | env: 18 | SO_CONFIGURATION: ${{ inputs.so_configuration }} 19 | SO_API_TOKEN: ${{ inputs.so_api_token }} 20 | -------------------------------------------------------------------------------- /dev/actions/vulnerability_scanner/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Vulnerability Scanner' 2 | description: 'Invokes several vunerability scanners' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_configuration: 7 | description: 'The YAML file with the configuration for the vulnerability scanners.' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the import.' 11 | required: true 12 | 13 | runs: 14 | using: 'docker' 15 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 16 | entrypoint: '/entrypoints/entrypoint_vulnerability_scanner.sh' 17 | env: 18 | SO_CONFIGURATION: ${{ inputs.so_configuration }} 19 | SO_API_TOKEN: ${{ inputs.so_api_token }} 20 | -------------------------------------------------------------------------------- /importer/importer/file_upload_sbom.py: -------------------------------------------------------------------------------- 1 | from importer.secobserve_api import Api 2 | from importer.environment import Environment 3 | from requests.exceptions import HTTPError 4 | 5 | 6 | def file_upload_sbom(): 7 | try: 8 | environment = Environment() 9 | environment.check_environment_file_upload() 10 | api = Api() 11 | api.file_upload_sbom() 12 | except Exception as e: 13 | print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>") 14 | print(f"{e.__class__.__name__}: {str(e)}") 15 | if isinstance(e, HTTPError): 16 | print(f"Response: {e.response.content.decode('utf-8')}") 17 | print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<") 18 | exit(1) 19 | 20 | 21 | if __name__ == "__main__": 22 | file_upload_sbom() 23 | -------------------------------------------------------------------------------- /importer/importer/file_upload_observations.py: -------------------------------------------------------------------------------- 1 | from importer.secobserve_api import Api 2 | from importer.environment import Environment 3 | from requests.exceptions import HTTPError 4 | 5 | 6 | def file_upload_observations(): 7 | try: 8 | environment = Environment() 9 | environment.check_environment_file_upload() 10 | api = Api() 11 | api.file_upload_observations() 12 | except Exception as e: 13 | print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>") 14 | print(f"{e.__class__.__name__}: {str(e)}") 15 | if isinstance(e, HTTPError): 16 | print(f"Response: {e.response.content.decode('utf-8')}") 17 | print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<") 18 | exit(1) 19 | 20 | 21 | if __name__ == "__main__": 22 | file_upload_observations() 23 | -------------------------------------------------------------------------------- /docker/requirements.txt: -------------------------------------------------------------------------------- 1 | # Bandit 2 | # ---------------------------------------------------------------- 3 | bandit==1.9.2 # https://github.com/PyCQA/bandit 4 | bandit-sarif-formatter==1.1.1 # https://github.com/microsoft/bandit-sarif-formatter 5 | 6 | # Semgrep 7 | # ---------------------------------------------------------------- 8 | semgrep==1.145.1 # https://github.com/returntocorp/semgrep 9 | 10 | # CryptoLyzer 11 | # ---------------------------------------------------------------- 12 | CryptoLyzer==1.0.0 # https://gitlab.com/coroner/cryptolyzer 13 | 14 | # Importer 15 | # ---------------------------------------------------------------- 16 | requests==2.32.5 # https://github.com/psf/requests 17 | 18 | # Vulnerability Scanner 19 | # ---------------------------------------------------------------- 20 | PyYAML==6.0.3 # https://github.com/yaml/pyyaml 21 | -------------------------------------------------------------------------------- /actions/check_security_gate/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Check Security Gate' 2 | description: 'Checks SecObserve security gate of a product' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_api_base_url: 7 | description: 'Base URL of the SecObserve backend' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the check.' 11 | required: true 12 | so_product_name: 13 | description: 'Name of the product for which the security gate check is being performed.' 14 | required: true 15 | 16 | runs: 17 | using: 'docker' 18 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 19 | entrypoint: 'check_security_gate.sh' 20 | env: 21 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 22 | SO_API_TOKEN: ${{ inputs.so_api_token }} 23 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 24 | -------------------------------------------------------------------------------- /dev/actions/check_security_gate/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Check Security Gate' 2 | description: 'Checks SecObserve security gate for a product' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_api_base_url: 7 | description: 'Base URL of the SecObserve backend' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the check.' 11 | required: true 12 | so_product_name: 13 | description: 'Name of the product for which the security gate check is being performed.' 14 | required: true 15 | 16 | runs: 17 | using: 'docker' 18 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 19 | entrypoint: 'check_security_gate.sh' 20 | env: 21 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 22 | SO_API_TOKEN: ${{ inputs.so_api_token }} 23 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 24 | -------------------------------------------------------------------------------- /docker_zap/entrypoints/entrypoint_zap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="ZAP" 16 | 17 | echo ---------------------------------------- 18 | echo ZAP 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - SCRIPT: "$SCRIPT" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | cd /zap 27 | $SCRIPT -t "$TARGET" $FURTHER_PARAMETERS -J "$REPORT_NAME" || true 28 | cd "$WORKSPACE" 29 | cp /zap/wrk/"$REPORT_NAME" . 30 | 31 | if [ "$SO_UPLOAD" == "true" ]; then 32 | source file_upload_observations.sh 33 | fi 34 | 35 | exit 0 36 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_tfsec.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="SARIF" 16 | 17 | echo ---------------------------------------- 18 | echo tfsec 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | cd "$RUN_DIRECTORY" 27 | tfsec "$TARGET" $FURTHER_PARAMETERS --soft-fail --format sarif --out "$WORKSPACE/$REPORT_NAME" 28 | cd "$WORKSPACE" 29 | 30 | if [ "$SO_UPLOAD" == "true" ]; then 31 | source file_upload_observations.sh 32 | fi 33 | 34 | exit 0 35 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_trivy_image_secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | export TRIVY_NO_PROGRESS=true 5 | 6 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 7 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 8 | WORKSPACE=. 9 | else 10 | WORKSPACE="${CI_PROJECT_DIR}" 11 | fi 12 | else 13 | WORKSPACE="${GITHUB_WORKSPACE}" 14 | fi 15 | 16 | export SO_FILE_NAME="${REPORT_NAME}" 17 | export SO_PARSER_NAME="SARIF" 18 | 19 | echo ---------------------------------------- 20 | echo Trivy Image Secrets 21 | echo - TARGET: "$TARGET" 22 | echo - REPORT_NAME: "$REPORT_NAME" 23 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 24 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 25 | fi 26 | 27 | cd "$WORKSPACE" 28 | trivy image $FURTHER_PARAMETERS --quiet --exit-code 0 --format sarif --scanners secret --output "$REPORT_NAME" "$TARGET" 29 | 30 | if [ "$SO_UPLOAD" == "true" ]; then 31 | source file_upload_observations.sh 32 | fi 33 | 34 | exit 0 35 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_cryptolyzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="CryptoLyzer" 16 | 17 | echo ---------------------------------------- 18 | echo CryptoLyzer 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | source /.venv/bin/activate 27 | cd "$WORKSPACE" 28 | cryptolyze $FURTHER_PARAMETERS --output-format json tls all "$TARGET" >"$REPORT_NAME" 29 | deactivate 30 | 31 | if [ "$SO_UPLOAD" == "true" ]; then 32 | source file_upload_observations.sh 33 | fi 34 | 35 | exit 0 36 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_grype_sbom.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="CycloneDX" 16 | 17 | if [[ -z "${SO_SUPPRESS_LICENSES}" ]]; then 18 | export SO_SUPPRESS_LICENSES=true 19 | fi 20 | 21 | echo ---------------------------------------- 22 | echo Grype SBOM 23 | echo - TARGET: "$TARGET" 24 | echo - REPORT_NAME: "$REPORT_NAME" 25 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 26 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 27 | fi 28 | 29 | cd "$WORKSPACE" 30 | grype sbom:"$TARGET" $FURTHER_PARAMETERS --by-cve --quiet --output cyclonedx-json --file "$REPORT_NAME" 31 | 32 | if [ "$SO_UPLOAD" == "true" ]; then 33 | source file_upload_observations.sh 34 | fi 35 | 36 | exit 0 37 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_grype_image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="CycloneDX" 16 | 17 | if [[ -z "${SO_SUPPRESS_LICENSES}" ]]; then 18 | export SO_SUPPRESS_LICENSES=true 19 | fi 20 | 21 | echo ---------------------------------------- 22 | echo Grype Image 23 | echo - TARGET: "$TARGET" 24 | echo - REPORT_NAME: "$REPORT_NAME" 25 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 26 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 27 | fi 28 | 29 | cd "$WORKSPACE" 30 | grype docker:"$TARGET" $FURTHER_PARAMETERS --by-cve --quiet --output cyclonedx-json --file "$REPORT_NAME" 31 | 32 | if [ "$SO_UPLOAD" == "true" ]; then 33 | source file_upload_observations.sh 34 | fi 35 | 36 | exit 0 37 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_bandit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="SARIF" 16 | 17 | echo ---------------------------------------- 18 | echo Bandit 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | source /.venv/bin/activate 27 | cd "$RUN_DIRECTORY" 28 | bandit $FURTHER_PARAMETERS --quiet --format sarif --output "$WORKSPACE/$REPORT_NAME" --exit-zero --recursive "$TARGET" 29 | cd "$WORKSPACE" 30 | deactivate 31 | 32 | if [ "$SO_UPLOAD" == "true" ]; then 33 | source file_upload_observations.sh 34 | fi 35 | 36 | exit 0 37 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_trivy_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | export TRIVY_NO_PROGRESS=true 5 | 6 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 7 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 8 | WORKSPACE=. 9 | else 10 | WORKSPACE="${CI_PROJECT_DIR}" 11 | fi 12 | else 13 | WORKSPACE="${GITHUB_WORKSPACE}" 14 | fi 15 | 16 | export SO_FILE_NAME="${REPORT_NAME}" 17 | export SO_PARSER_NAME="SARIF" 18 | 19 | echo ---------------------------------------- 20 | echo Trivy Config 21 | echo - TARGET: "$TARGET" 22 | echo - REPORT_NAME: "$REPORT_NAME" 23 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 24 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 25 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 26 | fi 27 | 28 | cd "$RUN_DIRECTORY" 29 | trivy config $FURTHER_PARAMETERS --quiet --exit-code 0 --format sarif --output "$WORKSPACE/$REPORT_NAME" "$TARGET" 30 | cd "$WORKSPACE" 31 | 32 | if [ "$SO_UPLOAD" == "true" ]; then 33 | source file_upload_observations.sh 34 | fi 35 | 36 | exit 0 37 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_checkov.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="SARIF" 16 | 17 | echo ---------------------------------------- 18 | echo Checkov 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | source /.venv_checkov/bin/activate 27 | cd "$RUN_DIRECTORY" 28 | checkov $FURTHER_PARAMETERS --quiet --compact --soft-fail --directory "$TARGET" --output sarif 29 | mv results.sarif "$WORKSPACE/$REPORT_NAME" 30 | cd "$WORKSPACE" 31 | deactivate 32 | 33 | if [ "$SO_UPLOAD" == "true" ]; then 34 | source file_upload_observations.sh 35 | fi 36 | 37 | exit 0 38 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_trivy_image.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | export TRIVY_NO_PROGRESS=true 5 | 6 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 7 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 8 | WORKSPACE=. 9 | else 10 | WORKSPACE="${CI_PROJECT_DIR}" 11 | fi 12 | else 13 | WORKSPACE="${GITHUB_WORKSPACE}" 14 | fi 15 | 16 | export SO_FILE_NAME="${REPORT_NAME}" 17 | export SO_PARSER_NAME="CycloneDX" 18 | 19 | if [[ -z "${SO_SUPPRESS_LICENSES}" ]]; then 20 | export SO_SUPPRESS_LICENSES=true 21 | fi 22 | 23 | echo ---------------------------------------- 24 | echo Trivy Image 25 | echo - TARGET: "$TARGET" 26 | echo - REPORT_NAME: "$REPORT_NAME" 27 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 28 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 29 | fi 30 | 31 | cd "$WORKSPACE" 32 | trivy image $FURTHER_PARAMETERS --quiet --exit-code 0 --format cyclonedx --scanners vuln --output "$REPORT_NAME" "$TARGET" 33 | 34 | if [ "$SO_UPLOAD" == "true" ]; then 35 | source file_upload_observations.sh 36 | fi 37 | 38 | exit 0 39 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_trivy_filesystem_secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | export TRIVY_NO_PROGRESS=true 5 | 6 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 7 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 8 | WORKSPACE=. 9 | else 10 | WORKSPACE="${CI_PROJECT_DIR}" 11 | fi 12 | else 13 | WORKSPACE="${GITHUB_WORKSPACE}" 14 | fi 15 | 16 | export SO_FILE_NAME="${REPORT_NAME}" 17 | export SO_PARSER_NAME="SARIF" 18 | 19 | echo ---------------------------------------- 20 | echo Trivy Filesystem Secrets 21 | echo - TARGET: "$TARGET" 22 | echo - REPORT_NAME: "$REPORT_NAME" 23 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 24 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 25 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 26 | fi 27 | 28 | cd "$RUN_DIRECTORY" 29 | trivy filesystem $FURTHER_PARAMETERS --quiet --exit-code 0 --format sarif --scanners secret --output "$WORKSPACE/$REPORT_NAME" "$TARGET" 30 | cd "$WORKSPACE" 31 | 32 | if [ "$SO_UPLOAD" == "true" ]; then 33 | source file_upload_observations.sh 34 | fi 35 | 36 | exit 0 37 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_gitleaks.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="SARIF" 16 | 17 | echo ---------------------------------------- 18 | echo GitLeaks 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | git config --global --add safe.directory "$WORKSPACE" 27 | cd "$RUN_DIRECTORY" 28 | gitleaks detect $FURTHER_PARAMETERS --no-banner --log-level warn --exit-code 0 --no-git --redact --report-format sarif --report-path "$WORKSPACE/$REPORT_NAME" 29 | cd "$WORKSPACE" 30 | 31 | if [ "$SO_UPLOAD" == "true" ]; then 32 | source file_upload_observations.sh 33 | fi 34 | 35 | exit 0 36 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_semgrep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="SARIF" 16 | 17 | echo ---------------------------------------- 18 | echo Semgrep 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - CONFIGURATION: "$CONFIGURATION" 22 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 23 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 24 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 25 | fi 26 | 27 | source /.venv/bin/activate 28 | cd "$RUN_DIRECTORY" 29 | semgrep scan $FURTHER_PARAMETERS --config $CONFIGURATION --quiet --metrics off --no-error --output "$WORKSPACE/$REPORT_NAME" --sarif "$TARGET" 30 | cd "$WORKSPACE" 31 | deactivate 32 | 33 | if [ "$SO_UPLOAD" == "true" ]; then 34 | source file_upload_observations.sh 35 | fi 36 | 37 | exit 0 38 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_drheader.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="DrHeader" 16 | 17 | if [[ -z "${RULES}" ]]; then 18 | export RULES=/rules.yml 19 | fi 20 | 21 | echo ---------------------------------------- 22 | echo DrHeader 23 | echo - TARGET: "$TARGET" 24 | echo - REPORT_NAME: "$REPORT_NAME" 25 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 26 | echo - RULES: "$RULES" 27 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 28 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 29 | fi 30 | 31 | source /.venv/bin/activate 32 | cd "$WORKSPACE" 33 | drheader scan single $FURTHER_PARAMETERS --no-error --rules "$RULES" --json "$TARGET" >"$REPORT_NAME" 34 | deactivate 35 | 36 | if [ "$SO_UPLOAD" == "true" ]; then 37 | source file_upload_observations.sh 38 | fi 39 | 40 | exit 0 41 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base" 5 | ], 6 | "baseBranches": [ 7 | "dev" 8 | ], 9 | "binarySource": "install", 10 | "branchConcurrentLimit": 10, 11 | "dependencyDashboard": false, 12 | "dependencyDashboardApproval": false, 13 | "labels": [ 14 | "dependencies" 15 | ], 16 | "lockFileMaintenance": { 17 | "enabled": true 18 | }, 19 | "prHourlyLimit": 10, 20 | "rebaseWhen": "conflicted", 21 | "pip_requirements": { 22 | "managerFilePatterns": [ 23 | "/docker/requirements.txt/", 24 | "/docker/requirements_checkov.txt/" 25 | ] 26 | }, 27 | "packageRules": [ 28 | { 29 | "matchPackageNames": [ 30 | "python" 31 | ], 32 | "allowedVersions": "<3.14" 33 | }, 34 | { 35 | "matchPackageNames": [ 36 | "node" 37 | ], 38 | "allowedVersions": "<23" 39 | } 40 | ] 41 | } 42 | -------------------------------------------------------------------------------- /importer/setup.cfg: -------------------------------------------------------------------------------- 1 | [flake8] 2 | max-line-length = 120 3 | exclude = .tox,.git,*/migrations/*,*/static/CACHE/*,docs,node_modules,venv 4 | 5 | [pycodestyle] 6 | max-line-length = 120 7 | exclude = .tox,.git,*/migrations/*,*/static/CACHE/*,docs,node_modules,venv 8 | 9 | [isort] 10 | line_length = 88 11 | known_first_party = application,config 12 | multi_line_output = 3 13 | default_section = THIRDPARTY 14 | skip = venv/ 15 | skip_glob = **/migrations/*.py 16 | include_trailing_comma = true 17 | force_grid_wrap = 0 18 | use_parentheses = true 19 | 20 | [mypy] 21 | python_version = 3.9 22 | check_untyped_defs = True 23 | ignore_missing_imports = True 24 | warn_unused_ignores = True 25 | warn_redundant_casts = True 26 | warn_unused_configs = True 27 | plugins = mypy_django_plugin.main, mypy_drf_plugin.main 28 | 29 | [mypy.plugins.django-stubs] 30 | django_settings_module = config.settings.test 31 | 32 | [mypy-*.migrations.*] 33 | # Django migrations should not produce any errors: 34 | ignore_errors = True 35 | 36 | [coverage:run] 37 | include = application/* 38 | omit = *migrations*, *tests* 39 | plugins = 40 | django_coverage_plugin 41 | -------------------------------------------------------------------------------- /vulnerability_scanner/setup.cfg: -------------------------------------------------------------------------------- 1 | [flake8] 2 | max-line-length = 120 3 | exclude = .tox,.git,*/migrations/*,*/static/CACHE/*,docs,node_modules,venv 4 | 5 | [pycodestyle] 6 | max-line-length = 120 7 | exclude = .tox,.git,*/migrations/*,*/static/CACHE/*,docs,node_modules,venv 8 | 9 | [isort] 10 | line_length = 88 11 | known_first_party = application,config 12 | multi_line_output = 3 13 | default_section = THIRDPARTY 14 | skip = venv/ 15 | skip_glob = **/migrations/*.py 16 | include_trailing_comma = true 17 | force_grid_wrap = 0 18 | use_parentheses = true 19 | 20 | [mypy] 21 | python_version = 3.9 22 | check_untyped_defs = True 23 | ignore_missing_imports = True 24 | warn_unused_ignores = True 25 | warn_redundant_casts = True 26 | warn_unused_configs = True 27 | plugins = mypy_django_plugin.main, mypy_drf_plugin.main 28 | 29 | [mypy.plugins.django-stubs] 30 | django_settings_module = config.settings.test 31 | 32 | [mypy-*.migrations.*] 33 | # Django migrations should not produce any errors: 34 | ignore_errors = True 35 | 36 | [coverage:run] 37 | include = application/* 38 | omit = *migrations*, *tests* 39 | plugins = 40 | django_coverage_plugin 41 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_trivy_filesystem.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | export TRIVY_NO_PROGRESS=true 5 | 6 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 7 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 8 | WORKSPACE=. 9 | else 10 | WORKSPACE="${CI_PROJECT_DIR}" 11 | fi 12 | else 13 | WORKSPACE="${GITHUB_WORKSPACE}" 14 | fi 15 | 16 | export SO_FILE_NAME="${REPORT_NAME}" 17 | export SO_PARSER_NAME="CycloneDX" 18 | 19 | if [[ -z "${SO_SUPPRESS_LICENSES}" ]]; then 20 | export SO_SUPPRESS_LICENSES=true 21 | fi 22 | 23 | echo ---------------------------------------- 24 | echo Trivy Filesystem 25 | echo - TARGET: "$TARGET" 26 | echo - REPORT_NAME: "$REPORT_NAME" 27 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 28 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 29 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 30 | fi 31 | 32 | cd "$RUN_DIRECTORY" 33 | trivy filesystem $FURTHER_PARAMETERS --quiet --exit-code 0 --format cyclonedx --scanners vuln --output "$WORKSPACE/$REPORT_NAME" "$TARGET" 34 | cd "$WORKSPACE" 35 | 36 | if [ "$SO_UPLOAD" == "true" ]; then 37 | source file_upload_observations.sh 38 | fi 39 | 40 | exit 0 41 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_kics.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | if [[ -z "${OUTPUT_PATH}" ]]; then 15 | OUTPUT_PATH="${WORKSPACE}" 16 | fi 17 | 18 | export SO_FILE_NAME="${OUTPUT_PATH}"/"${REPORT_NAME}" 19 | export SO_PARSER_NAME="SARIF" 20 | 21 | echo ---------------------------------------- 22 | echo KICS 23 | echo - TARGET: "$TARGET" 24 | echo - REPORT_NAME: "$REPORT_NAME" 25 | echo - OUTPUT_PATH: "$OUTPUT_PATH" 26 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 27 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 28 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 29 | fi 30 | 31 | cd "$RUN_DIRECTORY" 32 | kics scan $FURTHER_PARAMETERS --silent --no-progress --ignore-on-exit results --path "$TARGET" --report-formats sarif --output-path "$OUTPUT_PATH" --output-name "$REPORT_NAME" 33 | cd "$WORKSPACE" 34 | 35 | if [ "$SO_UPLOAD" == "true" ]; then 36 | source file_upload_observations.sh 37 | fi 38 | 39 | exit 0 40 | -------------------------------------------------------------------------------- /importer/importer/check_security_gate.py: -------------------------------------------------------------------------------- 1 | from importer.secobserve_api import Api 2 | from importer.environment import Environment 3 | from requests.exceptions import HTTPError 4 | 5 | 6 | def check_security_gate(): 7 | try: 8 | environment = Environment() 9 | environment.check_environment_common() 10 | api = Api() 11 | product = api.get_product() 12 | if product.get("security_gate_passed") == None: 13 | print(f"Product {product.get('name')}: Security gate DISABLED") 14 | exit(0) 15 | 16 | if product.get("security_gate_passed") == True: 17 | print(f"Product {product.get('name')}: Security gate PASSED") 18 | exit(0) 19 | 20 | print(f"Product {product.get('name')}: Security gate FAILED") 21 | exit(1) 22 | 23 | except Exception as e: 24 | print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>") 25 | print(f"{e.__class__.__name__}: {str(e)}") 26 | if isinstance(e, HTTPError): 27 | print(f"Response: {e.response.content.decode('utf-8')}") 28 | print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<") 29 | exit(1) 30 | 31 | 32 | if __name__ == "__main__": 33 | check_security_gate() 34 | -------------------------------------------------------------------------------- /docker/entrypoints/entrypoint_eslint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [[ -z "${GITHUB_WORKSPACE}" ]]; then 5 | if [[ -z "${CI_PROJECT_DIR}" ]]; then 6 | WORKSPACE=. 7 | else 8 | WORKSPACE="${CI_PROJECT_DIR}" 9 | fi 10 | else 11 | WORKSPACE="${GITHUB_WORKSPACE}" 12 | fi 13 | 14 | export SO_FILE_NAME="${REPORT_NAME}" 15 | export SO_PARSER_NAME="SARIF" 16 | 17 | echo ---------------------------------------- 18 | echo ESLint 19 | echo - TARGET: "$TARGET" 20 | echo - REPORT_NAME: "$REPORT_NAME" 21 | echo - RUN_DIRECTORY: "$RUN_DIRECTORY" 22 | if [[ -n "$FURTHER_PARAMETERS" ]]; then 23 | echo - FURTHER_PARAMETERS: "$FURTHER_PARAMETERS" 24 | fi 25 | 26 | cd "$RUN_DIRECTORY" 27 | npm install 28 | npx -quiet eslint $FURTHER_PARAMETERS --quiet --ignore-pattern ./node_modules/ --format @microsoft/eslint-formatter-sarif --output-file "$WORKSPACE/$REPORT_NAME" "$TARGET" 29 | cd "$WORKSPACE" 30 | 31 | # The source files are referenced with "file://absolute_path", but we want to have relative paths, 32 | # so we remove the "file://" prefix and the current directory. 33 | sed -i "s|file:\/\/$PWD\/||g" "$WORKSPACE/$REPORT_NAME" 34 | 35 | if [ "$SO_UPLOAD" == "true" ]; then 36 | source file_upload_observations.sh 37 | fi 38 | 39 | exit 0 40 | -------------------------------------------------------------------------------- /docker_zap/Dockerfile: -------------------------------------------------------------------------------- 1 | # Python run stage 2 | FROM zaproxy/zap-stable:2.15.0 3 | 4 | ARG CREATED 5 | ARG REVISION 6 | ARG VERSION 7 | 8 | LABEL org.opencontainers.image.base.name="softwaresecurityproject/zap-stable" 9 | LABEL org.opencontainers.image.created=${CREATED} 10 | LABEL org.opencontainers.image.description="SecObserve is an open source vulnerability management system for software development teams." 11 | LABEL org.opencontainers.image.documentation="https://secobserve.github.io/SecObserve/integrations/github_actions_and_templates/" 12 | LABEL org.opencontainers.image.licenses="BSD3-Clause" 13 | LABEL org.opencontainers.image.revision=${REVISION} 14 | LABEL org.opencontainers.image.source="https://github.com/SecObserve/secobserve_actions_templates" 15 | LABEL org.opencontainers.image.title="SecObserve vulnerability scanner ZAP" 16 | LABEL org.opencontainers.image.url="https://github.com/SecObserve/secobserve_actions_templates" 17 | LABEL org.opencontainers.image.vendor="SecObserve" 18 | LABEL org.opencontainers.image.version=${VERSION} 19 | 20 | # Install importer 21 | COPY importer/ /usr/local/importer/ 22 | RUN pip install --no-cache-dir -r /usr/local/importer/requirements.txt 23 | 24 | # Copy entrypoints and set PATH 25 | WORKDIR /entrypoints 26 | COPY ./docker_zap/entrypoints/ ./ 27 | RUN mkdir /zap/wrk 28 | ENV PATH="/usr/local/importer/bin:$PATH" 29 | 30 | WORKDIR /zap 31 | -------------------------------------------------------------------------------- /actions/upload_sbom/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve upload SBOM' 2 | description: 'Upload SBOM into SecObserve' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_api_base_url: 7 | description: 'Base URL of the SecObserve backend' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the upload.' 11 | required: true 12 | so_product_name: 13 | description: 'Name of the product into which the SBOM is imported. The product has to exist before starting the import.' 14 | required: true 15 | so_branch_name: 16 | description: 'Name of the product branch into which the SBOM is imported. If the branch does not exist yet, it is automatically created.' 17 | required: false 18 | so_file_name: 19 | description: 'Name of the SBOM file to upload.' 20 | required: true 21 | so_origin_service: 22 | description: 'Service name to be set for all imported components.' 23 | required: false 24 | 25 | runs: 26 | using: 'docker' 27 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 28 | entrypoint: 'file_upload_observations.sh' 29 | env: 30 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 31 | SO_API_TOKEN: ${{ inputs.so_api_token }} 32 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 33 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 34 | SO_FILE_NAME: ${{ inputs.so_file_name }} 35 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 36 | -------------------------------------------------------------------------------- /dev/actions/upload_sbom/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve upload SBOM' 2 | description: 'Upload SBOM into SecObserve' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_api_base_url: 7 | description: 'Base URL of the SecObserve backend' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the upload.' 11 | required: true 12 | so_product_name: 13 | description: 'Name of the product into which the SBOM is imported. The product has to exist before starting the import.' 14 | required: true 15 | so_branch_name: 16 | description: 'Name of the product branch into which the SBOM is imported. If the branch does not exist yet, it is automatically created.' 17 | required: false 18 | so_file_name: 19 | description: 'Name of the SBOM file to upload.' 20 | required: true 21 | so_origin_service: 22 | description: 'Service name to be set for all imported components.' 23 | required: false 24 | 25 | runs: 26 | using: 'docker' 27 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 28 | entrypoint: 'file_upload_observations.sh' 29 | env: 30 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 31 | SO_API_TOKEN: ${{ inputs.so_api_token }} 32 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 33 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 34 | SO_FILE_NAME: ${{ inputs.so_file_name }} 35 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 36 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2023 MaibornWolff GmbH / Stefan Fleckenstein 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, 7 | this list of conditions and the following disclaimer. 8 | 9 | 2. Redistributions in binary form must reproduce the above copyright notice, 10 | this list of conditions and the following disclaimer in the documentation 11 | and/or other materials provided with the distribution. 12 | 13 | 3. Neither the name of the copyright holder nor the names of its contributors 14 | may be used to endorse or promote products derived from this software 15 | without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 18 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 21 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | -------------------------------------------------------------------------------- /.github/workflows/build_push_dev.yml: -------------------------------------------------------------------------------- 1 | name: Build and push dev images 2 | 3 | on: workflow_dispatch 4 | 5 | permissions: 6 | contents: read 7 | packages: write 8 | attestations: write 9 | id-token: write 10 | 11 | jobs: 12 | docker: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - 16 | name: Checkout 17 | uses: actions/checkout@v6 18 | with: 19 | ref: dev 20 | - 21 | name: Set up QEMU 22 | uses: docker/setup-qemu-action@v3 23 | - 24 | name: Set up Docker Buildx 25 | uses: docker/setup-buildx-action@v3 26 | - 27 | name: Login to GitHub Container Registry 28 | uses: docker/login-action@v3 29 | with: 30 | registry: ghcr.io 31 | username: ${{ github.actor }} 32 | password: ${{ secrets.GITHUB_TOKEN }} 33 | - 34 | name: Set current date as env variable 35 | run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV 36 | - 37 | name: Build and push scanners 38 | uses: docker/build-push-action@v6 39 | with: 40 | context: . 41 | file: ./docker//Dockerfile 42 | push: true 43 | tags: ghcr.io/secobserve/secobserve-scanners:dev 44 | build-args: | 45 | CREATED=${{ env.CREATED }} 46 | REVISION=${{ github.sha }} 47 | VERSION=dev 48 | - 49 | name: Build and push ZAP 50 | uses: docker/build-push-action@v6 51 | with: 52 | context: . 53 | file: ./docker_zap//Dockerfile 54 | push: true 55 | tags: ghcr.io/secobserve/secobserve-scanners-zap:dev 56 | build-args: | 57 | CREATED=${{ env.CREATED }} 58 | REVISION=${{ github.sha }} 59 | VERSION=dev 60 | -------------------------------------------------------------------------------- /actions/upload_observations/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve upload observations' 2 | description: 'Upload results of vulnerability scanner into SecObserve' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_api_base_url: 7 | description: 'Base URL of the SecObserve backend' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the upload.' 11 | required: true 12 | so_product_name: 13 | description: 'Name of the product into which observations are imported. The product has to exist before starting the import.' 14 | required: true 15 | so_branch_name: 16 | description: 'Name of the product branch into which observations are imported. If the branch does not exist yet, it is automatically created.' 17 | required: false 18 | so_file_name: 19 | description: 'Name of the file to upload.' 20 | required: true 21 | so_origin_service: 22 | description: 'Service name to be set for all imported observations.' 23 | required: false 24 | so_origin_docker_image_name_tag: 25 | description: 'Name:Tag of Docker image to be set for all imported observations.' 26 | required: false 27 | so_origin_endpoint_url: 28 | description: 'URL of endpoint to be set for all imported observations.' 29 | required: false 30 | 31 | runs: 32 | using: 'docker' 33 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 34 | entrypoint: 'file_upload_observations.sh' 35 | env: 36 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 37 | SO_API_TOKEN: ${{ inputs.so_api_token }} 38 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 39 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 40 | SO_FILE_NAME: ${{ inputs.so_file_name }} 41 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 42 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 43 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 44 | SO_SUPPRESS_LICENSES: true 45 | -------------------------------------------------------------------------------- /dev/actions/upload_observations/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve upload observations' 2 | description: 'Upload results of vulnerability scanner into SecObserve' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_api_base_url: 7 | description: 'Base URL of the SecObserve backend' 8 | required: true 9 | so_api_token: 10 | description: 'API token of the user to be used for the upload.' 11 | required: true 12 | so_product_name: 13 | description: 'Name of the product into which observations are imported. The product has to exist before starting the import.' 14 | required: true 15 | so_branch_name: 16 | description: 'Name of the product branch into which observations are imported. If the branch does not exist yet, it is automatically created.' 17 | required: false 18 | so_file_name: 19 | description: 'Name of the file to upload.' 20 | required: true 21 | so_origin_service: 22 | description: 'Service name to be set for all imported observations.' 23 | required: false 24 | so_origin_docker_image_name_tag: 25 | description: 'Name:Tag of Docker image to be set for all imported observations.' 26 | required: false 27 | so_origin_endpoint_url: 28 | description: 'URL of endpoint to be set for all imported observations.' 29 | required: false 30 | 31 | runs: 32 | using: 'docker' 33 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 34 | entrypoint: 'file_upload_observations.sh' 35 | env: 36 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 37 | SO_API_TOKEN: ${{ inputs.so_api_token }} 38 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 39 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 40 | SO_FILE_NAME: ${{ inputs.so_file_name }} 41 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 42 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 43 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 44 | SO_SUPPRESS_LICENSES: true 45 | -------------------------------------------------------------------------------- /docker/drheader/rules.yml: -------------------------------------------------------------------------------- 1 | Headers: 2 | Content-Security-Policy: 3 | Required: True 4 | Must-Avoid: 5 | - unsafe-inline 6 | - unsafe-eval 7 | Directives: 8 | default-src: 9 | Required: True 10 | Value-One-Of: 11 | - none 12 | - self 13 | Cross-Origin-Embedder-Policy: 14 | Required: True 15 | Value: require-corp 16 | Cross-Origin-Opener-Policy: 17 | Required: True 18 | Value: same-origin 19 | Cross-Origin-Resource-Policy: 20 | Required: True 21 | Value: same-site 22 | Pragma: 23 | Required: False 24 | Referrer-Policy: 25 | Required: True 26 | Value-One-Of: 27 | - strict-origin 28 | - strict-origin-when-cross-origin 29 | - no-referrer 30 | - no-referrer, strict-origin-when-cross-origin 31 | Server: 32 | Required: Optional 33 | Value: 34 | - undisclosed 35 | Set-Cookie: 36 | Required: Optional 37 | Must-Contain: 38 | - HttpOnly 39 | - Secure 40 | - SameSite=Strict 41 | Strict-Transport-Security: 42 | Required: True 43 | Value: 44 | - max-age=31536000 45 | - includeSubDomains 46 | - preload 47 | User-Agent: 48 | Required: False 49 | X-AspNet-Version: 50 | Required: False 51 | X-Client-IP: 52 | Required: False 53 | X-Content-Type-Options: 54 | Required: True 55 | Value: nosniff 56 | X-Forwarded-For: 57 | Required: False 58 | X-Frame-Options: 59 | Required: True 60 | Value-One-Of: 61 | - DENY 62 | - SAMEORIGIN 63 | X-Generator: 64 | Required: False 65 | X-Powered-By: 66 | Required: False 67 | X-XSS-Protection: 68 | Required: False 69 | -------------------------------------------------------------------------------- /vulnerability_scanner/vulnerability_scanner/scan_vulnerabilities.py: -------------------------------------------------------------------------------- 1 | import os 2 | from vulnerability_scanner.configuration import ( 3 | clean_configuration, 4 | get_configuration_from_file, 5 | set_importer_configuration, 6 | set_scanner_configuration, 7 | ) 8 | 9 | SCANNERS = [ 10 | "bandit", 11 | "checkov", 12 | "cryptolyzer", 13 | "drheader", 14 | "eslint", 15 | "gitleaks", 16 | "grype_image", 17 | "grype_sbom", 18 | "kics", 19 | "semgrep", 20 | "trivy_config", 21 | "trivy_filesystem", 22 | "trivy_filesystem_secrets", 23 | "trivy_image", 24 | "trivy_image_secrets", 25 | ] 26 | 27 | 28 | def scan_vulnerabilities(): 29 | try: 30 | error = False 31 | configuration = get_configuration_from_file() 32 | 33 | for key in configuration.keys(): 34 | scanner_configuration = configuration.get(key) 35 | config_scanner = scanner_configuration.get("SCANNER") 36 | for scanner in SCANNERS: 37 | if scanner == config_scanner: 38 | clean_configuration() 39 | set_importer_configuration(configuration) 40 | set_scanner_configuration(scanner_configuration) 41 | exit_code = os.system(f"/entrypoints/entrypoint_{scanner}.sh") 42 | 43 | if exit_code > 0: 44 | error = True 45 | print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>") 46 | print(f"ERROR in {key} scanning or importing") 47 | print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<") 48 | if error: 49 | exit(1) 50 | except Exception as e: 51 | print(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>") 52 | print(f"{e.__class__.__name__}: {str(e)}") 53 | print("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<") 54 | exit(1) 55 | 56 | 57 | if __name__ == "__main__": 58 | scan_vulnerabilities() 59 | -------------------------------------------------------------------------------- /vulnerability_scanner/vulnerability_scanner/configuration.py: -------------------------------------------------------------------------------- 1 | import os 2 | import yaml 3 | 4 | IMPORTER_VARIABLES = [ 5 | "SO_UPLOAD", 6 | "SO_API_BASE_URL", 7 | "SO_PRODUCT_NAME", 8 | "SO_BRANCH_NAME", 9 | "SO_ORIGIN_SERVICE", 10 | "SO_ORIGIN_DOCKER_IMAGE_NAME_TAG", 11 | "SO_ORIGIN_ENDPOINT_URL", 12 | "SO_SUPPRESS_LICENSES", 13 | ] 14 | 15 | SCANNER_VARIABLES = [ 16 | "TARGET", 17 | "REPORT_NAME", 18 | "RUN_DIRECTORY", 19 | "FURTHER_PARAMETERS", 20 | "OUTPUT_PATH", 21 | "CONFIGURATION", 22 | "RULES", 23 | "SCRIPT", 24 | ] + IMPORTER_VARIABLES 25 | 26 | 27 | def get_configuration_from_file() -> dict: 28 | filename = os.getenv("SO_CONFIGURATION") 29 | if not filename: 30 | raise Exception("Environment variable SO_CONFIGURATION not set") 31 | 32 | with open(filename, "r") as yaml_file: 33 | configuration = yaml.safe_load(yaml_file) 34 | return configuration 35 | 36 | 37 | def clean_configuration() -> None: 38 | for variable in SCANNER_VARIABLES: 39 | os.environ.pop(variable, None) 40 | 41 | 42 | def set_importer_configuration(configuration: dict) -> None: 43 | if configuration.get("importer"): 44 | importer_configuration = configuration.get("importer") 45 | for variable in SCANNER_VARIABLES: 46 | value = importer_configuration.get(variable) 47 | _set_environment_variable(variable, value) 48 | 49 | 50 | def set_scanner_configuration(scanner_configuration: dict) -> None: 51 | for variable in SCANNER_VARIABLES: 52 | value = scanner_configuration.get(variable) 53 | _set_environment_variable(variable, value) 54 | if ( 55 | variable == "RUN_DIRECTORY" 56 | and os.getenv("RUN_DIRECTORY") is None 57 | ): 58 | os.environ["RUN_DIRECTORY"] = "." 59 | 60 | 61 | def _set_environment_variable(variable, value) -> None: 62 | if value is not None: 63 | if isinstance(value, str) and value.startswith("$"): 64 | os.environ[variable] = os.getenv(value[1:]) 65 | elif isinstance(value, bool): 66 | os.environ[variable] = str(value).lower() 67 | else: 68 | os.environ[variable] = str(value) 69 | -------------------------------------------------------------------------------- /.github/workflows/build_push_latest.yml: -------------------------------------------------------------------------------- 1 | name: Build and push release images from main 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | release: 7 | description: 'SecObserve scanners release (without the v)' 8 | required: true 9 | 10 | permissions: 11 | contents: read 12 | packages: write 13 | attestations: write 14 | id-token: write 15 | 16 | jobs: 17 | docker: 18 | runs-on: ubuntu-latest 19 | steps: 20 | - 21 | name: Checkout 22 | uses: actions/checkout@v6 23 | with: 24 | ref: 'v${{ github.event.inputs.release }}' 25 | - 26 | name: Set up QEMU 27 | uses: docker/setup-qemu-action@v3 28 | - 29 | name: Set up Docker Buildx 30 | uses: docker/setup-buildx-action@v3 31 | - 32 | name: Login to GitHub Container Registry 33 | uses: docker/login-action@v3 34 | with: 35 | registry: ghcr.io 36 | username: ${{ github.actor }} 37 | password: ${{ secrets.GITHUB_TOKEN }} 38 | - 39 | name: Set current date as env variable 40 | run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV 41 | - 42 | name: Build and push scanners 43 | uses: docker/build-push-action@v6 44 | with: 45 | context: . 46 | file: ./docker//Dockerfile 47 | push: true 48 | tags: | 49 | ghcr.io/secobserve/secobserve-scanners:${{ github.event.inputs.release }} 50 | ghcr.io/secobserve/secobserve-scanners:latest 51 | build-args: | 52 | CREATED=${{ env.CREATED }} 53 | REVISION=${{ github.sha }} 54 | VERSION=${{ github.event.inputs.release }} 55 | - 56 | name: Build and push ZAP 57 | uses: docker/build-push-action@v6 58 | with: 59 | context: . 60 | file: ./docker_zap//Dockerfile 61 | push: true 62 | tags: | 63 | ghcr.io/secobserve/secobserve-scanners-zap:${{ github.event.inputs.release }} 64 | ghcr.io/secobserve/secobserve-scanners-zap:latest 65 | build-args: | 66 | CREATED=${{ env.CREATED }} 67 | REVISION=${{ github.sha }} 68 | VERSION=${{ github.event.inputs.release }} 69 | -------------------------------------------------------------------------------- /actions/DAST/cryptolyzer/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve CryptoLyzer' 2 | description: 'Scans TLS encryption for vulnerabilities with CryptoLyzer' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a hostname.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | 43 | runs: 44 | using: 'docker' 45 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 46 | entrypoint: '/entrypoints/entrypoint_cryptolyzer.sh' 47 | env: 48 | TARGET: ${{ inputs.target }} 49 | REPORT_NAME: ${{ inputs.report_name }} 50 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 51 | SO_UPLOAD: ${{ inputs.so_upload }} 52 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 53 | SO_API_TOKEN: ${{ inputs.so_api_token }} 54 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 55 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 56 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 57 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 58 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 59 | -------------------------------------------------------------------------------- /dev/actions/DAST/cryptolyzer/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve CryptoLyzer' 2 | description: 'Scans TLS encryption for vulnerabilities with CryptoLyzer' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a hostname.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | 43 | runs: 44 | using: 'docker' 45 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 46 | entrypoint: '/entrypoints/entrypoint_cryptolyzer.sh' 47 | env: 48 | TARGET: ${{ inputs.target }} 49 | REPORT_NAME: ${{ inputs.report_name }} 50 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 51 | SO_UPLOAD: ${{ inputs.so_upload }} 52 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 53 | SO_API_TOKEN: ${{ inputs.so_api_token }} 54 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 55 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 56 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 57 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 58 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 59 | -------------------------------------------------------------------------------- /actions/secrets/gitleaks/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Gitleaks' 2 | description: 'Scans Python code for vulnerabilities with Gitleaks' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | report_name: 7 | description: 'The name of the report to be written.' 8 | required: true 9 | run_directory: 10 | description: 'The directory where to run the scanner.' 11 | required: false 12 | default: '.' 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | 43 | runs: 44 | using: 'docker' 45 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 46 | entrypoint: '/entrypoints/entrypoint_gitleaks.sh' 47 | env: 48 | REPORT_NAME: ${{ inputs.report_name }} 49 | RUN_DIRECTORY: ${{ inputs.run_directory }} 50 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 51 | SO_UPLOAD: ${{ inputs.so_upload }} 52 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 53 | SO_API_TOKEN: ${{ inputs.so_api_token }} 54 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 55 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 56 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 57 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 58 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 59 | -------------------------------------------------------------------------------- /dev/actions/secrets/gitleaks/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Gitleaks' 2 | description: 'Scans Python code for vulnerabilities with Gitleaks' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | report_name: 7 | description: 'The name of the report to be written.' 8 | required: true 9 | run_directory: 10 | description: 'The directory where to run the scanner.' 11 | required: false 12 | default: '.' 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | 43 | runs: 44 | using: 'docker' 45 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 46 | entrypoint: '/entrypoints/entrypoint_gitleaks.sh' 47 | env: 48 | REPORT_NAME: ${{ inputs.report_name }} 49 | RUN_DIRECTORY: ${{ inputs.run_directory }} 50 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 51 | SO_UPLOAD: ${{ inputs.so_upload }} 52 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 53 | SO_API_TOKEN: ${{ inputs.so_api_token }} 54 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 55 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 56 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 57 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 58 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 59 | -------------------------------------------------------------------------------- /actions/importer/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Importer' 2 | description: 'Import results of vulnerability scanner into SecObserve' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_upload: 7 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 8 | required: false 9 | default: 'true' 10 | so_api_base_url: 11 | description: 'Base URL of the SecObserve backend' 12 | required: true 13 | so_api_token: 14 | description: 'API token of the user to be used for the import.' 15 | required: true 16 | so_product_name: 17 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 18 | required: true 19 | so_branch_name: 20 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 21 | required: false 22 | so_file_name: 23 | description: 'Name of the file to import.' 24 | required: true 25 | so_parser_name: 26 | description: 'Name of the parser to be used for the import.' 27 | required: true 28 | so_origin_service: 29 | description: 'Service name to be set for all imported observations.' 30 | required: false 31 | so_origin_docker_image_name_tag: 32 | description: 'Name:Tag of Docker image to be set for all imported observations.' 33 | required: false 34 | so_origin_endpoint_url: 35 | description: 'URL of endpoint to be set for all imported observations.' 36 | required: false 37 | so_suppress_licenses: 38 | description: 'Suppress importing license information if value is "true", default is "false".' 39 | required: false 40 | default: 'false' 41 | 42 | runs: 43 | using: 'docker' 44 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 45 | entrypoint: 'file_upload_observations.sh' 46 | env: 47 | SO_UPLOAD: ${{ inputs.so_upload }} 48 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 49 | SO_API_TOKEN: ${{ inputs.so_api_token }} 50 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 51 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 52 | SO_FILE_NAME: ${{ inputs.so_file_name }} 53 | SO_PARSER_NAME: ${{ inputs.so_parser_name }} 54 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 55 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 56 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 57 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 58 | -------------------------------------------------------------------------------- /dev/actions/importer/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Importer' 2 | description: 'Import results of vulnerability scanner into SecObserve' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | so_upload: 7 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 8 | required: false 9 | default: 'true' 10 | so_api_base_url: 11 | description: 'Base URL of the SecObserve backend' 12 | required: true 13 | so_api_token: 14 | description: 'API token of the user to be used for the import.' 15 | required: true 16 | so_product_name: 17 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 18 | required: true 19 | so_branch_name: 20 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 21 | required: false 22 | so_file_name: 23 | description: 'Name of the file to import.' 24 | required: true 25 | so_parser_name: 26 | description: 'Name of the parser to be used for the import.' 27 | required: true 28 | so_origin_service: 29 | description: 'Service name to be set for all imported observations.' 30 | required: false 31 | so_origin_docker_image_name_tag: 32 | description: 'Name:Tag of Docker image to be set for all imported observations.' 33 | required: false 34 | so_origin_endpoint_url: 35 | description: 'URL of endpoint to be set for all imported observations.' 36 | required: false 37 | so_suppress_licenses: 38 | description: 'Suppress importing license information if value is "true", default is "false".' 39 | required: false 40 | default: 'false' 41 | 42 | runs: 43 | using: 'docker' 44 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 45 | entrypoint: 'file_upload_observations.sh' 46 | env: 47 | SO_UPLOAD: ${{ inputs.so_upload }} 48 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 49 | SO_API_TOKEN: ${{ inputs.so_api_token }} 50 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 51 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 52 | SO_FILE_NAME: ${{ inputs.so_file_name }} 53 | SO_PARSER_NAME: ${{ inputs.so_parser_name }} 54 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 55 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 56 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 57 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 58 | -------------------------------------------------------------------------------- /actions/secrets/trivy_image_secrets/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy image secrets' 2 | description: 'Scans Docker images for secrets with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of the docker image.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | 43 | runs: 44 | using: 'docker' 45 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 46 | entrypoint: '/entrypoints/entrypoint_trivy_image_secrets.sh' 47 | env: 48 | TARGET: ${{ inputs.target }} 49 | REPORT_NAME: ${{ inputs.report_name }} 50 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 51 | SO_UPLOAD: ${{ inputs.so_upload }} 52 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 53 | SO_API_TOKEN: ${{ inputs.so_api_token }} 54 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 55 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 56 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 57 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 58 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 59 | -------------------------------------------------------------------------------- /dev/actions/secrets/trivy_image_secrets/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy image secrets' 2 | description: 'Scans Docker images for secrets with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of the docker image.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | 43 | runs: 44 | using: 'docker' 45 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 46 | entrypoint: '/entrypoints/entrypoint_trivy_image_secrets.sh' 47 | env: 48 | TARGET: ${{ inputs.target }} 49 | REPORT_NAME: ${{ inputs.report_name }} 50 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 51 | SO_UPLOAD: ${{ inputs.so_upload }} 52 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 53 | SO_API_TOKEN: ${{ inputs.so_api_token }} 54 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 55 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 56 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 57 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 58 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 59 | -------------------------------------------------------------------------------- /actions/DAST/zap/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve ZAP' 2 | description: 'Scans web sites and APIs with ZAP' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a URL.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | script: 14 | description: 'ZAP script to run.' 15 | required: false 16 | default: 'zap-baseline.py' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners-zap:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_zap.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | SCRIPT: ${{ inputs.script }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/DAST/zap/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve ZAP' 2 | description: 'Scans web sites and APIs with ZAP' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a URL.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | script: 14 | description: 'ZAP script to run.' 15 | required: false 16 | default: 'zap-baseline.py' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners-zap:dev' 50 | entrypoint: '/entrypoints/entrypoint_zap.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | SCRIPT: ${{ inputs.script }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/DAST/drheader/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve DrHeader' 2 | description: 'Scans HTTP headers for vulnerabilities with DrHeader' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a URL.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | rules: 14 | description: 'Custom rules to be used with DrHeader.' 15 | required: false 16 | further_parameters: 17 | description: 'Further parameters to be given to the scanner.' 18 | required: false 19 | default: '' 20 | so_upload: 21 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 22 | required: false 23 | default: 'true' 24 | so_api_base_url: 25 | description: 'Base URL of the SecObserve backend' 26 | required: true 27 | so_api_token: 28 | description: 'API token of the user to be used for the import.' 29 | required: true 30 | so_product_name: 31 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 32 | required: true 33 | so_branch_name: 34 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 35 | required: false 36 | so_origin_service: 37 | description: 'Service name to be set for all imported observations.' 38 | required: false 39 | so_origin_docker_image_name_tag: 40 | description: 'Name:Tag of Docker image to be set for all imported observations.' 41 | required: false 42 | so_origin_endpoint_url: 43 | description: 'URL of endpoint to be set for all imported observations.' 44 | required: false 45 | 46 | runs: 47 | using: 'docker' 48 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 49 | entrypoint: '/entrypoints/entrypoint_drheader.sh' 50 | env: 51 | TARGET: ${{ inputs.target }} 52 | REPORT_NAME: ${{ inputs.report_name }} 53 | RULES: ${{ inputs.rules }} 54 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 55 | SO_UPLOAD: ${{ inputs.so_upload }} 56 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 57 | SO_API_TOKEN: ${{ inputs.so_api_token }} 58 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 59 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 60 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 61 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 62 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 63 | -------------------------------------------------------------------------------- /dev/actions/DAST/drheader/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve DrHeader' 2 | description: 'Scans HTTP headers for vulnerabilities with DrHeader' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a URL.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | rules: 14 | description: 'Custom rules to be used with DrHeader.' 15 | required: false 16 | default: '/rules.yml' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_drheader.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RULES: ${{ inputs.rules }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/SAST/bandit/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Bandit' 2 | description: 'Scans Python code for vulnerabilities with Bandit' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_bandit.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/SAST/bandit/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Bandit' 2 | description: 'Scans Python code for vulnerabilities with Bandit' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_bandit.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/SAST/tfsec/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve tfsec' 2 | description: 'Scans infrastructure code for vulnerabilities with tfsec' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_tfsec.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/SAST/tfsec/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve tfsec' 2 | description: 'Scans infrastructure code for vulnerabilities with tfsec' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_tfsec.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/SAST/checkov/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Checkov' 2 | description: 'Scans infrastructure code for vulnerabilities with Checkov' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_checkov.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/SAST/checkov/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Checkov' 2 | description: 'Scans infrastructure code for vulnerabilities with Checkov' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_checkov.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/SAST/eslint/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve ESLint' 2 | description: 'Scans Javascript/Typescript code for vulnerabilities with ESLint' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_eslint.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/SAST/eslint/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve ESLint' 2 | description: 'Scans Javascript/Typescript code for vulnerabilities with ESLint' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_eslint.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/SAST/trivy_config/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy config' 2 | description: 'Scans infrastructure code for vulnerabilities with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_trivy_config.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/SAST/trivy_config/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy config' 2 | description: 'Scans infrastructure code for vulnerabilities with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_trivy_config.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/secrets/trivy_filesystem_secrets/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy filesystem secrets' 2 | description: 'Scans a filesystem for secrets with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_trivy_filesystem_secrets.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /dev/actions/secrets/trivy_filesystem_secrets/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy filesystem secrets' 2 | description: 'Scans a filesystem for secrets with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_trivy_filesystem_secrets.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | RUN_DIRECTORY: ${{ inputs.run_directory }} 55 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 56 | SO_UPLOAD: ${{ inputs.so_upload }} 57 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 58 | SO_API_TOKEN: ${{ inputs.so_api_token }} 59 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 60 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 61 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 62 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 63 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 64 | -------------------------------------------------------------------------------- /actions/SCA/grype_image/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Grype image' 2 | description: 'Scans Docker images for vulnerabilities with Grype' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of the docker image.' 8 | required: true 9 | report_name: 10 | description: 'The name of the report to be written.' 11 | required: true 12 | further_parameters: 13 | description: 'Further parameters to be given to the scanner.' 14 | required: false 15 | default: '' 16 | so_upload: 17 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 18 | required: false 19 | default: 'true' 20 | so_api_base_url: 21 | description: 'Base URL of the SecObserve backend' 22 | required: true 23 | so_api_token: 24 | description: 'API token of the user to be used for the import.' 25 | required: true 26 | so_product_name: 27 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 28 | required: true 29 | so_branch_name: 30 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 31 | required: false 32 | so_origin_service: 33 | description: 'Service name to be set for all imported observations.' 34 | required: false 35 | so_origin_docker_image_name_tag: 36 | description: 'Name:Tag of Docker image to be set for all imported observations.' 37 | required: false 38 | so_origin_endpoint_url: 39 | description: 'URL of endpoint to be set for all imported observations.' 40 | required: false 41 | so_suppress_licenses: 42 | description: 'Suppress importing license information if value is "true", default is "true".' 43 | required: false 44 | default: 'true' 45 | 46 | runs: 47 | using: 'docker' 48 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 49 | entrypoint: '/entrypoints/entrypoint_grype_image.sh' 50 | env: 51 | TARGET: ${{ inputs.target }} 52 | REPORT_NAME: ${{ inputs.report_name }} 53 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 54 | SO_UPLOAD: ${{ inputs.so_upload }} 55 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 56 | SO_API_TOKEN: ${{ inputs.so_api_token }} 57 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 58 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 59 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 60 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 61 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 62 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 63 | -------------------------------------------------------------------------------- /actions/SCA/grype_sbom/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Grype SBOM' 2 | description: 'Scans CycloneDX SBOMs for vulnerabilities with Grype' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of a CycloneDX SBOM.' 8 | required: true 9 | report_name: 10 | description: 'The name of the report to be written.' 11 | required: true 12 | further_parameters: 13 | description: 'Further parameters to be given to the scanner.' 14 | required: false 15 | default: '' 16 | so_upload: 17 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 18 | required: false 19 | default: 'true' 20 | so_api_base_url: 21 | description: 'Base URL of the SecObserve backend' 22 | required: true 23 | so_api_token: 24 | description: 'API token of the user to be used for the import.' 25 | required: true 26 | so_product_name: 27 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 28 | required: true 29 | so_branch_name: 30 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 31 | required: false 32 | so_origin_service: 33 | description: 'Service name to be set for all imported observations.' 34 | required: false 35 | so_origin_docker_image_name_tag: 36 | description: 'Name:Tag of Docker image to be set for all imported observations.' 37 | required: false 38 | so_origin_endpoint_url: 39 | description: 'URL of endpoint to be set for all imported observations.' 40 | required: false 41 | so_suppress_licenses: 42 | description: 'Suppress importing license information if value is "true", default is "true".' 43 | required: false 44 | default: 'true' 45 | 46 | runs: 47 | using: 'docker' 48 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 49 | entrypoint: '/entrypoints/entrypoint_grype_sbom.sh' 50 | env: 51 | TARGET: ${{ inputs.target }} 52 | REPORT_NAME: ${{ inputs.report_name }} 53 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 54 | SO_UPLOAD: ${{ inputs.so_upload }} 55 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 56 | SO_API_TOKEN: ${{ inputs.so_api_token }} 57 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 58 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 59 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 60 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 61 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 62 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 63 | -------------------------------------------------------------------------------- /dev/actions/SCA/grype_image/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Grype image' 2 | description: 'Scans Docker images for vulnerabilities with Grype' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of the docker image.' 8 | required: true 9 | report_name: 10 | description: 'The name of the report to be written.' 11 | required: true 12 | further_parameters: 13 | description: 'Further parameters to be given to the scanner.' 14 | required: false 15 | default: '' 16 | so_upload: 17 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 18 | required: false 19 | default: 'true' 20 | so_api_base_url: 21 | description: 'Base URL of the SecObserve backend' 22 | required: true 23 | so_api_token: 24 | description: 'API token of the user to be used for the import.' 25 | required: true 26 | so_product_name: 27 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 28 | required: true 29 | so_branch_name: 30 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 31 | required: false 32 | so_origin_service: 33 | description: 'Service name to be set for all imported observations.' 34 | required: false 35 | so_origin_docker_image_name_tag: 36 | description: 'Name:Tag of Docker image to be set for all imported observations.' 37 | required: false 38 | so_origin_endpoint_url: 39 | description: 'URL of endpoint to be set for all imported observations.' 40 | required: false 41 | so_suppress_licenses: 42 | description: 'Suppress importing license information if value is "true", default is "true".' 43 | required: false 44 | default: 'true' 45 | 46 | runs: 47 | using: 'docker' 48 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 49 | entrypoint: '/entrypoints/entrypoint_grype_image.sh' 50 | env: 51 | TARGET: ${{ inputs.target }} 52 | REPORT_NAME: ${{ inputs.report_name }} 53 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 54 | SO_UPLOAD: ${{ inputs.so_upload }} 55 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 56 | SO_API_TOKEN: ${{ inputs.so_api_token }} 57 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 58 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 59 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 60 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 61 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 62 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 63 | -------------------------------------------------------------------------------- /dev/actions/SCA/grype_sbom/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Grype SBOM' 2 | description: 'Scans CycloneDX SBOMs for vulnerabilities with Grype' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of a CycloneDX SBOM.' 8 | required: true 9 | report_name: 10 | description: 'The name of the report to be written.' 11 | required: true 12 | further_parameters: 13 | description: 'Further parameters to be given to the scanner.' 14 | required: false 15 | default: '' 16 | so_upload: 17 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 18 | required: false 19 | default: 'true' 20 | so_api_base_url: 21 | description: 'Base URL of the SecObserve backend' 22 | required: true 23 | so_api_token: 24 | description: 'API token of the user to be used for the import.' 25 | required: true 26 | so_product_name: 27 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 28 | required: true 29 | so_branch_name: 30 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 31 | required: false 32 | so_origin_service: 33 | description: 'Service name to be set for all imported observations.' 34 | required: false 35 | so_origin_docker_image_name_tag: 36 | description: 'Name:Tag of Docker image to be set for all imported observations.' 37 | required: false 38 | so_origin_endpoint_url: 39 | description: 'URL of endpoint to be set for all imported observations.' 40 | required: false 41 | so_suppress_licenses: 42 | description: 'Suppress importing license information if value is "true", default is "true".' 43 | required: false 44 | default: 'true' 45 | 46 | runs: 47 | using: 'docker' 48 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 49 | entrypoint: '/entrypoints/entrypoint_grype_sbom.sh' 50 | env: 51 | TARGET: ${{ inputs.target }} 52 | REPORT_NAME: ${{ inputs.report_name }} 53 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 54 | SO_UPLOAD: ${{ inputs.so_upload }} 55 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 56 | SO_API_TOKEN: ${{ inputs.so_api_token }} 57 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 58 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 59 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 60 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 61 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 62 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 63 | -------------------------------------------------------------------------------- /actions/SCA/trivy_image/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy image' 2 | description: 'Scans Docker images for vulnerabilities with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of the docker image.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | so_suppress_licenses: 43 | description: 'Suppress importing license information if value is "true", default is "true".' 44 | required: false 45 | default: 'true' 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 50 | entrypoint: '/entrypoints/entrypoint_trivy_image.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 55 | SO_UPLOAD: ${{ inputs.so_upload }} 56 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 57 | SO_API_TOKEN: ${{ inputs.so_api_token }} 58 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 59 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 60 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 61 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 62 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 63 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 64 | -------------------------------------------------------------------------------- /dev/actions/SCA/trivy_image/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy image' 2 | description: 'Scans Docker images for vulnerabilities with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here the name of the docker image.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | further_parameters: 14 | description: 'Further parameters to be given to the scanner.' 15 | required: false 16 | default: '' 17 | so_upload: 18 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 19 | required: false 20 | default: 'true' 21 | so_api_base_url: 22 | description: 'Base URL of the SecObserve backend' 23 | required: true 24 | so_api_token: 25 | description: 'API token of the user to be used for the import.' 26 | required: true 27 | so_product_name: 28 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 29 | required: true 30 | so_branch_name: 31 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 32 | required: false 33 | so_origin_service: 34 | description: 'Service name to be set for all imported observations.' 35 | required: false 36 | so_origin_docker_image_name_tag: 37 | description: 'Name:Tag of Docker image to be set for all imported observations.' 38 | required: false 39 | so_origin_endpoint_url: 40 | description: 'URL of endpoint to be set for all imported observations.' 41 | required: false 42 | so_suppress_licenses: 43 | description: 'Suppress importing license information if value is "true", default is "true".' 44 | required: false 45 | default: 'true' 46 | 47 | runs: 48 | using: 'docker' 49 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 50 | entrypoint: '/entrypoints/entrypoint_trivy_image.sh' 51 | env: 52 | TARGET: ${{ inputs.target }} 53 | REPORT_NAME: ${{ inputs.report_name }} 54 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 55 | SO_UPLOAD: ${{ inputs.so_upload }} 56 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 57 | SO_API_TOKEN: ${{ inputs.so_api_token }} 58 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 59 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 60 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 61 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 62 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 63 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 64 | -------------------------------------------------------------------------------- /actions/SAST/kics/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve KICS' 2 | description: 'Scans infrastructure code for vulnerabilities with KICS' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | output_path: 22 | description: 'Output path for the KICS scan results.' 23 | required: true 24 | default: '' 25 | so_upload: 26 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 27 | required: false 28 | default: 'true' 29 | so_api_base_url: 30 | description: 'Base URL of the SecObserve backend' 31 | required: true 32 | so_api_token: 33 | description: 'API token of the user to be used for the import.' 34 | required: true 35 | so_product_name: 36 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 37 | required: true 38 | so_branch_name: 39 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 40 | required: false 41 | so_origin_service: 42 | description: 'Service name to be set for all imported observations.' 43 | required: false 44 | so_origin_docker_image_name_tag: 45 | description: 'Name:Tag of Docker image to be set for all imported observations.' 46 | required: false 47 | so_origin_endpoint_url: 48 | description: 'URL of endpoint to be set for all imported observations.' 49 | required: false 50 | 51 | runs: 52 | using: 'docker' 53 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 54 | entrypoint: '/entrypoints/entrypoint_kics.sh' 55 | env: 56 | TARGET: ${{ inputs.target }} 57 | REPORT_NAME: ${{ inputs.report_name }} 58 | RUN_DIRECTORY: ${{ inputs.run_directory }} 59 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 60 | OUTPUT_PATH: ${{ inputs.output_path }} 61 | SO_UPLOAD: ${{ inputs.so_upload }} 62 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 63 | SO_API_TOKEN: ${{ inputs.so_api_token }} 64 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 65 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 66 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 67 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 68 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 69 | -------------------------------------------------------------------------------- /dev/actions/SAST/kics/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve KICS' 2 | description: 'Scans infrastructure code for vulnerabilities with KICS' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | output_path: 22 | description: 'Output path for the KICS scan results.' 23 | required: true 24 | default: '' 25 | so_upload: 26 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 27 | required: false 28 | default: 'true' 29 | so_api_base_url: 30 | description: 'Base URL of the SecObserve backend' 31 | required: true 32 | so_api_token: 33 | description: 'API token of the user to be used for the import.' 34 | required: true 35 | so_product_name: 36 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 37 | required: true 38 | so_branch_name: 39 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 40 | required: false 41 | so_origin_service: 42 | description: 'Service name to be set for all imported observations.' 43 | required: false 44 | so_origin_docker_image_name_tag: 45 | description: 'Name:Tag of Docker image to be set for all imported observations.' 46 | required: false 47 | so_origin_endpoint_url: 48 | description: 'URL of endpoint to be set for all imported observations.' 49 | required: false 50 | 51 | runs: 52 | using: 'docker' 53 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 54 | entrypoint: '/entrypoints/entrypoint_kics.sh' 55 | env: 56 | TARGET: ${{ inputs.target }} 57 | REPORT_NAME: ${{ inputs.report_name }} 58 | RUN_DIRECTORY: ${{ inputs.run_directory }} 59 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 60 | OUTPUT_PATH: ${{ inputs.output_path }} 61 | SO_UPLOAD: ${{ inputs.so_upload }} 62 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 63 | SO_API_TOKEN: ${{ inputs.so_api_token }} 64 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 65 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 66 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 67 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 68 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 69 | -------------------------------------------------------------------------------- /actions/SAST/semgrep/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Semgrep' 2 | description: 'Scans source code for vulnerabilities with Semgrep' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | configuration: 22 | description: 'Configuration to be used with Semgrep.' 23 | required: true 24 | default: '' 25 | so_upload: 26 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 27 | required: false 28 | default: 'true' 29 | so_api_base_url: 30 | description: 'Base URL of the SecObserve backend' 31 | required: true 32 | so_api_token: 33 | description: 'API token of the user to be used for the import.' 34 | required: true 35 | so_product_name: 36 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 37 | required: true 38 | so_branch_name: 39 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 40 | required: false 41 | so_origin_service: 42 | description: 'Service name to be set for all imported observations.' 43 | required: false 44 | so_origin_docker_image_name_tag: 45 | description: 'Name:Tag of Docker image to be set for all imported observations.' 46 | required: false 47 | so_origin_endpoint_url: 48 | description: 'URL of endpoint to be set for all imported observations.' 49 | required: false 50 | 51 | runs: 52 | using: 'docker' 53 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 54 | entrypoint: '/entrypoints/entrypoint_semgrep.sh' 55 | env: 56 | TARGET: ${{ inputs.target }} 57 | REPORT_NAME: ${{ inputs.report_name }} 58 | RUN_DIRECTORY: ${{ inputs.run_directory }} 59 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 60 | CONFIGURATION: ${{ inputs.configuration }} 61 | SO_UPLOAD: ${{ inputs.so_upload }} 62 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 63 | SO_API_TOKEN: ${{ inputs.so_api_token }} 64 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 65 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 66 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 67 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 68 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 69 | -------------------------------------------------------------------------------- /dev/actions/SAST/semgrep/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Semgrep' 2 | description: 'Scans source code for vulnerabilities with Semgrep' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | configuration: 22 | description: 'Configuration to be used with Semgrep.' 23 | required: true 24 | default: '' 25 | so_upload: 26 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 27 | required: false 28 | default: 'true' 29 | so_api_base_url: 30 | description: 'Base URL of the SecObserve backend' 31 | required: true 32 | so_api_token: 33 | description: 'API token of the user to be used for the import.' 34 | required: true 35 | so_product_name: 36 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 37 | required: true 38 | so_branch_name: 39 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 40 | required: false 41 | so_origin_service: 42 | description: 'Service name to be set for all imported observations.' 43 | required: false 44 | so_origin_docker_image_name_tag: 45 | description: 'Name:Tag of Docker image to be set for all imported observations.' 46 | required: false 47 | so_origin_endpoint_url: 48 | description: 'URL of endpoint to be set for all imported observations.' 49 | required: false 50 | 51 | runs: 52 | using: 'docker' 53 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 54 | entrypoint: '/entrypoints/entrypoint_semgrep.sh' 55 | env: 56 | TARGET: ${{ inputs.target }} 57 | REPORT_NAME: ${{ inputs.report_name }} 58 | RUN_DIRECTORY: ${{ inputs.run_directory }} 59 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 60 | CONFIGURATION: ${{ inputs.configuration }} 61 | SO_UPLOAD: ${{ inputs.so_upload }} 62 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 63 | SO_API_TOKEN: ${{ inputs.so_api_token }} 64 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 65 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 66 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 67 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 68 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 69 | -------------------------------------------------------------------------------- /importer/importer/environment.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | 4 | class Environment: 5 | def __init__(self): 6 | self.api_base_url = os.getenv("SO_API_BASE_URL") 7 | self.api_token = os.getenv("SO_API_TOKEN") 8 | self.product_name = os.getenv("SO_PRODUCT_NAME") 9 | self.branch_name = os.getenv("SO_BRANCH_NAME", None) 10 | self.file_name = os.getenv("SO_FILE_NAME", None) 11 | self.parser_name = os.getenv("SO_PARSER_NAME", None) 12 | self.api_configuration_name = os.getenv("SO_API_CONFIGURATION_NAME", None) 13 | self.service = os.getenv("SO_ORIGIN_SERVICE", None) 14 | self.docker_image_name_tag = os.getenv("SO_ORIGIN_DOCKER_IMAGE_NAME_TAG", None) 15 | self.endpoint_url = os.getenv("SO_ORIGIN_ENDPOINT_URL", None) 16 | self.suppress_licenses = os.getenv("SO_SUPPRESS_LICENSES", None) 17 | 18 | def check_environment_file_upload(self): 19 | error_string = self.check_environment_common() 20 | if self.file_name is None: 21 | if error_string != "": 22 | error_string = error_string + " / " 23 | error_string = error_string + "SO_FILE_NAME is missing" 24 | 25 | if len(error_string) > 0: 26 | raise Exception(error_string) 27 | 28 | print("SecObserve upload") 29 | print("- SO_API_BASE_URL: ", self.api_base_url) 30 | print("- SO_PRODUCT_NAME: ", self.product_name) 31 | if self.branch_name: 32 | print("- SO_BRANCH_NAME: ", self.branch_name) 33 | print("- SO_FILE_NAME: ", self.file_name) 34 | if self.parser_name: 35 | print("- SO_PARSER_NAME: ", self.parser_name) 36 | if self.service: 37 | print("- SO_ORIGIN_SERVICE: ", self.service) 38 | if self.docker_image_name_tag: 39 | print("- SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ", self.docker_image_name_tag) 40 | if self.endpoint_url: 41 | print("- SO_ORIGIN_ENDPOINT_URL: ", self.endpoint_url) 42 | if self.suppress_licenses is not None: 43 | print("- SO_SUPPRESS_LICENSES: ", self.suppress_licenses) 44 | print("") 45 | 46 | def check_environment_common(self): 47 | error_string = "" 48 | if self.api_base_url is None: 49 | error_string = "SO_API_BASE_URL is missing" 50 | if self.api_token is None: 51 | if error_string != "": 52 | error_string = error_string + " / " 53 | error_string = error_string + "SO_API_TOKEN is missing" 54 | if self.product_name is None: 55 | if error_string != "": 56 | error_string = error_string + " / " 57 | error_string = error_string + "SO_PRODUCT_NAME is missing" 58 | 59 | return error_string 60 | -------------------------------------------------------------------------------- /actions/SCA/trivy_filesystem/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy filesystem' 2 | description: 'Scans a filesystem for vulnerabilities with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | so_suppress_licenses: 47 | description: 'Suppress importing license information if value is "true", default is "true".' 48 | required: false 49 | default: 'true' 50 | 51 | runs: 52 | using: 'docker' 53 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12' 54 | entrypoint: '/entrypoints/entrypoint_trivy_filesystem.sh' 55 | env: 56 | TARGET: ${{ inputs.target }} 57 | REPORT_NAME: ${{ inputs.report_name }} 58 | RUN_DIRECTORY: ${{ inputs.run_directory }} 59 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 60 | SO_UPLOAD: ${{ inputs.so_upload }} 61 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 62 | SO_API_TOKEN: ${{ inputs.so_api_token }} 63 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 64 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 65 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 66 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 67 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 68 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 69 | -------------------------------------------------------------------------------- /dev/actions/SCA/trivy_filesystem/action.yaml: -------------------------------------------------------------------------------- 1 | name: 'SecObserve Trivy filesystem' 2 | description: 'Scans a filesystem for vulnerabilities with Trivy' 3 | author: 'SecObserve' 4 | 5 | inputs: 6 | target: 7 | description: 'The target to be scanned, here a path of the filesystem.' 8 | required: true 9 | default: '.' 10 | report_name: 11 | description: 'The name of the report to be written.' 12 | required: true 13 | run_directory: 14 | description: 'The directory where to run the scanner.' 15 | required: false 16 | default: '.' 17 | further_parameters: 18 | description: 'Further parameters to be given to the scanner.' 19 | required: false 20 | default: '' 21 | so_upload: 22 | description: 'No upload of observations into SecObserve if value is not "true", default is "true".' 23 | required: false 24 | default: 'true' 25 | so_api_base_url: 26 | description: 'Base URL of the SecObserve backend' 27 | required: true 28 | so_api_token: 29 | description: 'API token of the user to be used for the import.' 30 | required: true 31 | so_product_name: 32 | description: 'Name of the product which observations are imported. The product has to exist before starting the import.' 33 | required: true 34 | so_branch_name: 35 | description: 'Name of the product branch which observations are imported. If the branch does not exist yet, it is automatically created.' 36 | required: false 37 | so_origin_service: 38 | description: 'Service name to be set for all imported observations.' 39 | required: false 40 | so_origin_docker_image_name_tag: 41 | description: 'Name:Tag of Docker image to be set for all imported observations.' 42 | required: false 43 | so_origin_endpoint_url: 44 | description: 'URL of endpoint to be set for all imported observations.' 45 | required: false 46 | so_suppress_licenses: 47 | description: 'Suppress importing license information if value is "true", default is "true".' 48 | required: false 49 | default: 'true' 50 | 51 | runs: 52 | using: 'docker' 53 | image: 'docker://ghcr.io/secobserve/secobserve-scanners:dev' 54 | entrypoint: '/entrypoints/entrypoint_trivy_filesystem.sh' 55 | env: 56 | TARGET: ${{ inputs.target }} 57 | REPORT_NAME: ${{ inputs.report_name }} 58 | RUN_DIRECTORY: ${{ inputs.run_directory }} 59 | FURTHER_PARAMETERS: ${{ inputs.further_parameters }} 60 | SO_UPLOAD: ${{ inputs.so_upload }} 61 | SO_API_BASE_URL: ${{ inputs.so_api_base_url }} 62 | SO_API_TOKEN: ${{ inputs.so_api_token }} 63 | SO_PRODUCT_NAME: ${{ inputs.so_product_name }} 64 | SO_BRANCH_NAME: ${{ inputs.so_branch_name }} 65 | SO_ORIGIN_SERVICE: ${{ inputs.so_origin_service }} 66 | SO_ORIGIN_DOCKER_IMAGE_NAME_TAG: ${{ inputs.so_origin_docker_image_name_tag }} 67 | SO_ORIGIN_ENDPOINT_URL: ${{ inputs.so_origin_endpoint_url }} 68 | SO_SUPPRESS_LICENSES: ${{ inputs.so_suppress_licenses }} 69 | -------------------------------------------------------------------------------- /importer/importer/secobserve_api.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | from importer.environment import Environment 4 | 5 | 6 | class Api: 7 | def __init__(self): 8 | self.environment = Environment() 9 | self.headers = { 10 | "accept": "application/json", 11 | "Content-type": "application/json", 12 | "Authorization": "APIToken " + self.environment.api_token, 13 | } 14 | self.headers_multipart = { 15 | "accept": "application/json", 16 | # "Content-Type": "multipart/form-data", 17 | "Authorization": "APIToken " + self.environment.api_token 18 | } 19 | 20 | def file_upload_observations(self): 21 | payload = { 22 | "product_name": self.environment.product_name, 23 | "parser_name": self.environment.parser_name, 24 | } 25 | if self.environment.branch_name is not None: 26 | payload["branch_name"] = self.environment.branch_name 27 | if self.environment.service is not None: 28 | payload["service"] = self.environment.service 29 | if self.environment.docker_image_name_tag is not None: 30 | payload["docker_image_name_tag"] = self.environment.docker_image_name_tag 31 | if self.environment.endpoint_url is not None: 32 | payload["endpoint_url"] = self.environment.endpoint_url 33 | payload["suppress_licenses"] = self.environment.suppress_licenses 34 | 35 | with open(self.environment.file_name, "r") as file: 36 | file.seek(0) 37 | files = { 38 | "file": ( 39 | self.environment.file_name, 40 | file, 41 | "application/json", 42 | ) 43 | } 44 | response = requests.post( 45 | self.environment.api_base_url + "/api/import/file_upload_observations_by_name/", 46 | headers=self.headers_multipart, 47 | data=payload, 48 | files=files, 49 | ) 50 | response.raise_for_status() 51 | 52 | print(response.json()) 53 | 54 | def file_upload_sbom(self): 55 | payload = { 56 | "product_name": self.environment.product_name, 57 | } 58 | if self.environment.branch_name is not None: 59 | payload["branch_name"] = self.environment.branch_name 60 | if self.environment.service is not None: 61 | payload["service"] = self.environment.service 62 | 63 | with open(self.environment.file_name, "r") as file: 64 | file.seek(0) 65 | files = { 66 | "file": ( 67 | self.environment.file_name, 68 | file, 69 | "application/json", 70 | ) 71 | } 72 | response = requests.post( 73 | self.environment.api_base_url + "/api/import/file_upload_sbom_by_name/", 74 | headers=self.headers_multipart, 75 | data=payload, 76 | files=files, 77 | ) 78 | response.raise_for_status() 79 | 80 | print(response.json()) 81 | 82 | def get_product(self) -> dict: 83 | response = requests.get( 84 | f"{self.environment.api_base_url}/api/products/?name={self.environment.product_name}", 85 | headers=self.headers, 86 | ) 87 | response.raise_for_status() 88 | 89 | data = response.json() 90 | 91 | count = data.get("count", None) 92 | if count == None: 93 | raise ValueError("Count not found in response") 94 | if count == 0: 95 | raise ValueError(f"Product {self.environment.product_name} not found") 96 | 97 | results = data.get("results", []) 98 | for result in results: 99 | if result["name"] == self.environment.product_name: 100 | return result 101 | 102 | raise ValueError(f"Product {self.environment.product_name} not found") 103 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributor Covenant Code of Conduct 3 | 4 | ## Our Pledge 5 | 6 | We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. 7 | 8 | We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community. 9 | 10 | ## Our Standards 11 | 12 | Examples of behavior that contributes to a positive environment for our community include: 13 | 14 | * Demonstrating empathy and kindness toward other people 15 | * Being respectful of differing opinions, viewpoints, and experiences 16 | * Giving and gracefully accepting constructive feedback 17 | * Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience 18 | * Focusing on what is best not just for us as individuals, but for the overall community 19 | 20 | Examples of unacceptable behavior include: 21 | 22 | * The use of sexualized language or imagery, and sexual attention or advances of any kind 23 | * Trolling, insulting or derogatory comments, and personal or political attacks 24 | * Public or private harassment 25 | * Publishing others' private information, such as a physical or email address, without their explicit permission 26 | * Other conduct which could reasonably be considered inappropriate in a professional setting 27 | 28 | ## Enforcement Responsibilities 29 | 30 | Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful. 31 | 32 | Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate. 33 | 34 | ## Scope 35 | 36 | This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. 37 | 38 | Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 39 | 40 | ## Enforcement 41 | 42 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at [INSERT CONTACT METHOD]. All complaints will be reviewed and investigated promptly and fairly. 43 | 44 | All community leaders are obligated to respect the privacy and security of the reporter of any incident. 45 | 46 | ## Enforcement Guidelines 47 | 48 | Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct: 49 | 50 | ### 1. Correction 51 | 52 | **Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community. 53 | 54 | **Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested. 55 | 56 | ### 2. Warning 57 | 58 | **Community Impact**: A violation through a single incident or series of actions. 59 | 60 | **Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban. 61 | 62 | ### 3. Temporary Ban 63 | 64 | **Community Impact**: A serious violation of community standards, including sustained inappropriate behavior. 65 | 66 | **Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban. 67 | 68 | ### 4. Permanent Ban 69 | 70 | **Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals. 71 | 72 | **Consequence**: A permanent ban from any sort of public interaction within the community. 73 | 74 | ## Attribution 75 | 76 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 77 | 78 | Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity). 79 | 80 | [homepage]: https://www.contributor-covenant.org 81 | 82 | For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations. 83 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | > [!IMPORTANT] 2 | > The SecObserve repositories have been moved from the MaibornWolff organization to their own SecObserve organization. Even though all links to the previous repository location are automatically redirected to the new location, we strongly recommend updating any existing links to the new repository URL. 3 | > 4 | > All includes of GitHub actions and GitLab templates have to be changed from `MaibornWolff/secobserve_actions_templates/...` to `SecObserve/secobserve_actions_templates/...`. 5 | > 6 | > The location of the Docker images has been changed with release 2025_11, they are now stored in a GitHub container registry: 7 | > - ghcr.io/secobserve/secobserve-scanners 8 | > - ghcr.io/secobserve/secobserve-scanners-zap 9 | 10 | 11 | # SecObserve GitHub actions and GitLab CI templates 12 | 13 | SecObserve gathers results about potential security flaws from various vulnerability scanning tools and makes them available for assessment and reporting. 14 | 15 | It consists of 2 major components: 16 | 17 | * **GitHub actions and GitLab CI templates:** Integrating vulnerability scanners into a CI/CD pipeline can be tedious. Each tool has to be installed differently and is called with different parameters. To avoid having to solve this task all over again, there are repositories with GitHub actions and GitLab CI templates. These make the process of integrating vulnerability scanners very simple by providing uniform methods for launching the tools and uniform parameters. The tools are regularly updated in the repositories so that the latest features and bug fixes are always available. 18 | 19 | All actions and templates run the scanner, upload the results into SecObserve and make the results of the scans available for download as artefacts in JSON format. 20 | 21 | These GitHub actions and GitLab CI templates are the content of this repository. 22 | 23 | * **Vulnerability management system SecObserve:** SecObserve provides the development team with an overview of the results of all vulnerability scans for their project, which can be easily filtered and sorted. In the detailed view, the results are displayed uniformly with a wealth of information, regardless of which vulnerability scanner generated them. 24 | 25 | The sources of the vulnerability management system can be found in [https://github.com/SecObserve/SecObserve](https://github.com/SecObserve/SecObserve). 26 | 27 | ## Available actions and templates 28 | 29 | | Scanner | GitHub Action | GitLab CI Template | License | 30 | |----------|---------|-------------|--------| 31 | | [Bandit](https://bandit.readthedocs.io/en/latest) | `actions/SAST/bandit` | `templates/SAST/bandit.yml` | [Apache 2.0](https://github.com/PyCQA/bandit/blob/main/LICENSE) | 32 | | [ESLint](https://github.com/eslint/eslint) | `actions/SAST/eslint` | `templates/SAST/eslint.yml` | [MIT](https://github.com/eslint/eslint/blob/main/LICENSE) | 33 | | [Semgrep](https://semgrep.dev/docs) | `actions/SAST/semgrep` | `templates/SAST/semgrep.yml` |[LGPL 2.1](https://github.com/returntocorp/semgrep/blob/develop/LICENSE) | 34 | | [Checkov](https://www.checkov.io/1.Welcome/Quick%20Start.html) | `actions/SAST/checkov` | `templates/SAST/checkov.yml` | [Apache 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) | 35 | | [KICS](https://docs.kics.io/latest) | `actions/SAST/kics` | `templates/SAST/kics.yml` | [Apache 2.0](https://github.com/Checkmarx/kics/blob/master/LICENSE) | 36 | | [tfsec](https://aquasecurity.github.io/tfsec) | `actions/SAST/tfsec` | `templates/SAST/tfsec.yml` | [MIT](https://github.com/aquasecurity/tfsec/blob/master/LICENSE) | 37 | | [Grype](https://github.com/anchore/grype) | `actions/SCA/grype_image` | `templates/SCA/grype_image.yml` | [Apache 2.0](https://github.com/anchore/grype/blob/main/LICENSE) | 38 | | [Trivy](https://aquasecurity.github.io/trivy) | `actions/SCA/trivy_filesystem` | `templates/SCA/trivy_filesystem.yml` | [Apache 2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | 39 | | [Trivy](https://aquasecurity.github.io/trivy) | `actions/SCA/trivy_image` | `templates/SCA/trivy_image.yml` | [Apache 2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) | 40 | | [Gitleaks](https://gitleaks.io) | `actions/secrets/gitleaks` | `templates/secrets/gitleaks.yml` | [MIT](https://github.com/gitleaks/gitleaks/blob/master/LICENSE) | 41 | | [CryptoLyzer](https://gitlab.com/coroner/cryptolyzer) | `actions/DAST/cryptolyzer` | `templates/DAST/cryptolyzer.yml` | [MPL 2.0](https://gitlab.com/coroner/cryptolyzer/-/blob/master/LICENSE.txt) | 42 | | [DrHeader](https://github.com/Santandersecurityresearch/DrHeader) | `actions/DAST/drheader` | `templates/DAST/drheader.yml` | [MIT](https://github.com/Santandersecurityresearch/DrHeader/blob/master/LICENSE) | 43 | | [ZAP](https://github.com/zaproxy/zaproxy) | `actions/DAST/zap` | `templates/DAST/zap.yml` | [Apache 2.0](https://github.com/zaproxy/zaproxy/blob/main/LICENSE) | 44 | 45 | All GitHub actions and GitLab CI templates use a pre-built Docker image that contains all scanners and the SecObserve importer. 46 | 47 | ## Documentation 48 | 49 | See [GitHub actions and GitLab CI templates](https://secobserve.github.io/SecObserve/integrations/github_actions_and_templates) for the full documentation how to use the actions and templates. 50 | 51 | ## Code of Conduct 52 | 53 | Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms. 54 | 55 | ## License 56 | 57 | SecObserve is licensed under the [3-Clause BSD License](LICENSE.txt) 58 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | # Python build stage 2 | FROM python:3.13-alpine AS python-build-stage 3 | 4 | # Install gcc to be able to compile wheels for python packages 5 | RUN apk add --no-cache gcc musl-dev python3-dev 6 | 7 | # Generate wheels for Python packages 8 | WORKDIR /usr/local 9 | COPY docker/requirements.txt . 10 | RUN pip wheel --wheel-dir /usr/src/app/wheels -r ./requirements.txt 11 | COPY docker/requirements_checkov.txt . 12 | RUN pip wheel --wheel-dir /usr/src/app/wheels_checkov -r ./requirements_checkov.txt 13 | 14 | # Go build stage for KICS 15 | FROM golang:1.25.5-alpine AS go-build-stage 16 | 17 | ARG KICS_VERSION=2.1.17 18 | 19 | # Install kics from GitHub 20 | WORKDIR /usr/local/kics 21 | RUN apk add --no-cache build-base 22 | RUN wget --no-verbose https://github.com/Checkmarx/kics/archive/refs/tags/v${KICS_VERSION}.tar.gz -O - | tar -zxf - \ 23 | && cd kics-${KICS_VERSION} \ 24 | && go build -o ./bin/kics cmd/console/main.go 25 | 26 | # Python run stage 27 | FROM python:3.13-alpine AS python-run-stage 28 | 29 | ARG GITLEAKS_VERSION=8.30.0 30 | ARG GRYPE_VERSION=0.104.2 31 | ARG KICS_VERSION=2.1.17 32 | ARG TRIVY_VERSION=0.68.1 33 | ARG TFSEC_VERSION=1.28.14 34 | 35 | ARG CREATED 36 | ARG REVISION 37 | ARG VERSION 38 | 39 | LABEL org.opencontainers.image.created=${CREATED} 40 | LABEL org.opencontainers.image.description="SecObserve is an open source vulnerability and license management system for software development teams." 41 | LABEL org.opencontainers.image.documentation="https://secobserve.github.io/SecObserve/integrations/github_actions_and_templates/" 42 | LABEL org.opencontainers.image.licenses="BSD3-Clause" 43 | LABEL org.opencontainers.image.revision=${REVISION} 44 | LABEL org.opencontainers.image.source="https://github.com/SecObserve/secobserve_actions_templates" 45 | LABEL org.opencontainers.image.title="SecObserve vulnerability scanners" 46 | LABEL org.opencontainers.image.url="https://github.com/SecObserve/secobserve_actions_templates" 47 | LABEL org.opencontainers.image.vendor="SecObserve" 48 | LABEL org.opencontainers.image.version=${VERSION} 49 | 50 | # Install openssl-dev because libcrypto is needed for CryptoLyzer 51 | RUN apk add --no-cache openssl-dev 52 | 53 | # All absolute dir copies ignore workdir instruction. All relative dir copies are wrt to the workdir instruction 54 | # copy python dependency wheels from python-build-stage 55 | COPY --from=python-build-stage /usr/src/app/wheels /wheels/ 56 | COPY --from=python-build-stage /usr/src/app/wheels_checkov /wheels_checkov/ 57 | # use wheels to install python dependencies 58 | RUN python3 -m venv .venv \ 59 | && source /.venv/bin/activate \ 60 | && pip install --no-cache-dir --no-index --find-links=/wheels/ /wheels/* \ 61 | && rm -rf /wheels/ && rm -rf /tmp \ 62 | && deactivate \ 63 | && python3 -m venv .venv_checkov \ 64 | && source /.venv_checkov/bin/activate \ 65 | && pip install --no-cache-dir --no-index --find-links=/wheels_checkov/ /wheels_checkov/* \ 66 | && rm -rf /wheels_checkov/ && rm -rf /tmp \ 67 | && deactivate \ 68 | # Hack because Python's find_library doesn't work on Alpine 69 | && sed -i -e "s|get_library('crypto', 'libcrypto\.dylib', '42')|'/usr/lib/libcrypto\.so'|g" .venv/lib/python3.13/site-packages/oscrypto/_openssl/_libcrypto_cffi.py \ 70 | && sed -i -e "s|get_library('crypto', 'libcrypto\.dylib', '42')|'/usr/lib/libcrypto\.so'|g" .venv/lib/python3.13/site-packages/oscrypto/_openssl/_libcrypto_ctypes.py 71 | 72 | # copy and install precompiled DrHeader library and rules 73 | COPY docker/drheader/drheader-1.7.0-py2.py3-none-any.whl docker/drheader/rules.yml ./ 74 | RUN source /.venv/bin/activate \ 75 | && pip install --no-cache-dir ./drheader-1.7.0-py2.py3-none-any.whl \ 76 | && deactivate 77 | 78 | # install GitLeaks from Github 79 | WORKDIR /usr/local/gitleaks 80 | RUN wget --no-verbose https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz -O - | tar -zxf - 81 | 82 | # install Grype from Github 83 | WORKDIR /usr/local/grype 84 | RUN wget --no-verbose https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz -O - | tar -zxf - 85 | 86 | # Copy kics from go build stage 87 | WORKDIR /usr/local/kics 88 | COPY --from=go-build-stage /usr/local/kics/kics-${KICS_VERSION}/bin ./bin/ 89 | COPY --from=go-build-stage /usr/local/kics/kics-${KICS_VERSION}/assets/queries ./bin/assets/queries/ 90 | COPY --from=go-build-stage /usr/local/kics/kics-${KICS_VERSION}/assets/libraries ./bin/assets/libraries/ 91 | 92 | # Install trivy from GitHub 93 | WORKDIR /usr/local/trivy 94 | RUN wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxf - 95 | 96 | # Install tfsec from GitHub 97 | WORKDIR /usr/local/tfsec 98 | RUN wget https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec-linux-amd64 && chmod ugo+x ./tfsec-linux-amd64 && mv ./tfsec-linux-amd64 ./tfsec 99 | 100 | # eslint needs npm 101 | # gitleaks needs git 102 | # trivy needs docker 103 | RUN apk add --no-cache npm git docker-cli 104 | 105 | # Install importer 106 | WORKDIR /usr/local/importer 107 | COPY importer/ ./ 108 | 109 | # Install vulnerability_scanner 110 | WORKDIR /usr/local/vulnerability_scanner 111 | COPY vulnerability_scanner/ ./ 112 | 113 | # Copy entrypoints and set PATH 114 | WORKDIR /entrypoints 115 | COPY ./docker/entrypoints/ ./ 116 | ENV PATH="/usr/local/gitleaks:/usr/local/grype:/usr/local/kics/bin:/usr/local/trivy:/usr/local/tfsec:/usr/local/importer/bin:/usr/local/vulnerability_scanner/bin:$PATH" 117 | 118 | WORKDIR / 119 | 120 | RUN mkdir -p -m a=rwx /tmp 121 | --------------------------------------------------------------------------------