├── LICENSE
├── README.md
├── action.yml
└── docs
    ├── icon.png
    ├── readmeImages
        ├── CallNoReturnIcon.png
        ├── CallReturnIcon.png
        ├── ReturnCallIcon.png
        ├── ReturnNoCallIcon.png
        ├── vscode-pref.png
        └── vscode.gif
    ├── scan-invocation.png
    └── scan-summary.png


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Team Scan <hello@shiftleft.io>
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Warning
  2 | 
  3 | Scan is now in maintenance mode. If you've just come across this project, then probably best to look at any alternatives. Read more [here](https://github.com/ShiftLeftSecurity/sast-scan/issues/352).
  4 | 
  5 | # Overview
  6 | 
  7 | ```bash
  8 | ████████╗ ██████╗ █████╗ ███╗   ██╗
  9 | ███╔════╝██╔════╝██╔══██╗████╗  ██║
 10 | ████████╗██║     ███████║██╔██╗ ██║
 11 | ╚╚════██║██║     ██╔══██║██║╚██╗██║
 12 | ████████║╚██████╗██║  ██║██║ ╚████║
 13 | ╚╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝
 14 | ```
 15 | 
 16 | [Security Scan](https://slscan.io) is a free and open-source security tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan without the need for any _remote server_! The product supports a range of integration options: from scanning every push via a git hook to scanning every build and pull-request in the CI/CD pipelines.
 17 | 
 18 | ## Highlighted Features
 19 | 
 20 | ### Supported scans
 21 | 
 22 | - Credentials Scanning to detect accidental secret leaks
 23 | - Static Analysis Security Testing (SAST) for a range of languages and frameworks
 24 | - Open-source dependencies and License audit
 25 | - Pull Request status checks and Scan summary as comments
 26 | 
 27 | ### Languages supported
 28 | 
 29 | - Salesforce Apex
 30 | - bash
 31 | - Go
 32 | - Java
 33 | - JSP
 34 | - Node.js
 35 | - Oracle PL/SQL
 36 | - Python
 37 | - Rust (Dependency and Licence scan alone)
 38 | - Terraform
 39 | - Salesforce Visual Force
 40 | - Apache Velocity
 41 | 
 42 | ## Getting Started
 43 | 
 44 | Simply add the following snippet to your GitHub actions workflow.
 45 | 
 46 | ```yaml
 47 | - name: Perform Scan
 48 |   uses: ShiftLeftSecurity/scan-action@master
 49 | ```
 50 | 
 51 | To override the built-in language detection, use the `type` parameter.
 52 | 
 53 | ```yaml
 54 | - name: Perform Scan
 55 |   uses: ShiftLeftSecurity/scan-action@master
 56 |   with:
 57 |     type: "credscan,java,depscan"
 58 | ```
 59 | 
 60 | For a full example, refer to the [workflow](https://github.com/ShiftLeftSecurity/sast-scan/blob/master/.github/workflows/pythonapp.yml) file used by Scan to scan itself.
 61 | 
 62 | ### Viewing Reports
 63 | 
 64 | Scan summary would get printed directly on the action build log as shown.
 65 | 
 66 | ![Scan Invocation](docs/scan-invocation.png)
 67 | 
 68 | ![Scan Summary](docs/scan-summary.png)
 69 | 
 70 | The action also produces HTML reports for the various scans. To upload the reports as build artifacts to your pipeline use the `upload-artifact` step as shown:
 71 | 
 72 | ```yaml
 73 | - name: Perform Scan
 74 |   uses: ShiftLeftSecurity/scan-action@master
 75 |   with:
 76 |     type: "credscan,python"
 77 |   env:
 78 |     WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
 79 |     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 80 | 
 81 | - uses: actions/upload-artifact@v1
 82 |   with:
 83 |     name: reports
 84 |     path: reports
 85 | ```
 86 | 
 87 | In the above configuration, two environment variables are used to customise the behaviour:
 88 | 
 89 | - WORKSPACE: Specifying the URL to your repository would transform the filenames in the reports to hyperlinks. Specify empty string `""` when using the `Code Scanning` feature on GitHub
 90 | - GITHUB_TOKEN: Passing the GitHub token would improve the scan results by increasing the allowance for package names lookup during dependency scanning
 91 | 
 92 | ## Tips & Tricks
 93 | 
 94 | ### Automatic build
 95 | 
 96 | Scan can attempt to build certain project types automatically. Java, node.js, rust, go and csharp are currently supported. To enable auto-build, set the environment variable `SCAN_AUTO_BUILD` as shown:
 97 | 
 98 | ```yaml
 99 | - name: Perform Scan
100 |   uses: ShiftLeftSecurity/scan-action@master
101 |   with:
102 |     type: "credscan,python"
103 |   env:
104 |     WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
105 |     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
106 |     SCAN_AUTO_BUILD: true
107 | ```
108 | 
109 | ## Documentation
110 | 
111 | Please refer to the [documentation](https://slscan.io) on using ShiftLeft Scan in your pipelines.
112 | 
113 | ## Support
114 | 
115 | Developers behind scan are available on a dedicated [discord channel](https://discord.gg/7WvSxdK) for questions and support. For defects, raising an issue on [GitHub](https://github.com/ShiftLeftSecurity/sast-scan/issues) is best.
116 | 


--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
 1 | name: "Security and Licence Scan"
 2 | description: "Security Scan is a free and open-source security audit tool for your DevOps team"
 3 | inputs:
 4 |   src:
 5 |     description: "Source directory to scan. Defaults to /github/workspace"
 6 |     required: false
 7 |     default: "/github/workspace"
 8 |   output:
 9 |     description: "Output directory for the generated reports. Defaults to /github/workspace/reports"
10 |     required: false
11 |     default: "/github/workspace/reports"
12 |   type:
13 |     description: "Project type. Eg: credscan, java, python, nodejs, depscan etc. Comma separated values allowed."
14 |     required: false
15 | runs:
16 |   using: "docker"
17 |   image: "docker://shiftleft/scan:latest"
18 |   env:
19 |     WORKSPACE: ""
20 |     SCAN_ANNOTATE_PR: true
21 |     SKIP_BOT_TRIGGERS: true
22 |     ENABLE_OSS_RISK: true
23 |   args:
24 |     - "scan"
25 |     - "--src"
26 |     - ${{ inputs.src }}
27 |     - "--out_dir"
28 |     - ${{ inputs.output }}
29 |     - "--type"
30 |     - ${{ inputs.type }}
31 |     - "--no-error"
32 | branding:
33 |   icon: "check"
34 |   color: "blue"
35 | 


--------------------------------------------------------------------------------
/docs/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/icon.png


--------------------------------------------------------------------------------
/docs/readmeImages/CallNoReturnIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/readmeImages/CallNoReturnIcon.png


--------------------------------------------------------------------------------
/docs/readmeImages/CallReturnIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/readmeImages/CallReturnIcon.png


--------------------------------------------------------------------------------
/docs/readmeImages/ReturnCallIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/readmeImages/ReturnCallIcon.png


--------------------------------------------------------------------------------
/docs/readmeImages/ReturnNoCallIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/readmeImages/ReturnNoCallIcon.png


--------------------------------------------------------------------------------
/docs/readmeImages/vscode-pref.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/readmeImages/vscode-pref.png


--------------------------------------------------------------------------------
/docs/readmeImages/vscode.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/readmeImages/vscode.gif


--------------------------------------------------------------------------------
/docs/scan-invocation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/scan-invocation.png


--------------------------------------------------------------------------------
/docs/scan-summary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ShiftLeftSecurity/scan-action/4d4c04908eff87430482f36340ad5706c14cf9a6/docs/scan-summary.png


--------------------------------------------------------------------------------