├── README.md ├── action.yml ├── example-workflow.yml └── images ├── code-scanning-alerts.png ├── code-scanning-flow.png ├── defensecode.png ├── github.png └── thunderscan-icon.png /README.md: -------------------------------------------------------------------------------- 1 | # DefenseCode ThunderScan Github Action ![ThunderScan](images/thunderscan-icon.png) 2 | 3 | DefenseCode ThunderScan GitHub Action with SARIF output. 4 |

5 | 6 |

7 | 8 | * **DefenseCode ThunderScan®** is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® is easy to use and can be deployed during or after development with easy integration into DevOps environment and CI/CD pipeline. 9 | 10 | * **DefenseCode WebScanner** is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). WebScanner will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. 11 | 12 | Find more info in the official website: [DefenseCode.com](https://www.defensecode.com) 13 | 14 | ## Inputs 15 | 16 | | Variable | Example Value | Description | Type | Required | Default | 17 | | ------------- | ------------- | ------------- |------------- | ------------- | ------------- | 18 | | api_url | https://localhost:8999| ThunderScan API URL | String | Yes | N/A 19 | | api_token | ${{ secrets.THUNDERSCAN_TOKEN }} | ThunderScan API Token | Secure String | Yes | N/A 20 | | client_path | /opt/thunderscan/tsactioncli | ThunderScan Client Path | String | Yes | N/A 21 | | engines | 2 | ThunderScan Engine IDs | String | No | N/A 22 | 23 | ## Outputs 24 | 25 | The default output format for this GitHub Action is a [SARIF](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning) output report stored in the working directory as **./thunderscan-sarif.json** 26 | 27 | ## Example Usage 28 | 29 | ThunderScan action runs on a self-hosted runner, utilizing a ThunderScan API CLI client. 30 | 31 | ``` 32 | steps: 33 | # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it 34 | - uses: actions/checkout@v2 35 | 36 | # ThunderScan Action 37 | - name: ThunderScan 38 | uses: defensecode/thunderscan-action@v1.0 39 | with: 40 | api_url: 'http://localhost:8999' 41 | client_path: '/opt/thunderscan/tsactioncli' 42 | api_token: ${{ secrets.THUNDERSCAN_TOKEN }} 43 | 44 | - name: Expose report 45 | uses: actions/upload-artifact@v2 46 | with: 47 | name: SARIF results 48 | path: thunderscan-sarif.json 49 | # Uploads thunderscan-sarif.json to GitHub repository using the upload-sarif action 50 | - uses: github/codeql-action/upload-sarif@v1 51 | with: 52 | # Path to SARIF file relative to the root of the repository 53 | sarif_file: thunderscan-sarif.json 54 | ``` 55 | 56 | ## Security Alerts Sample 57 | 58 | ![Sample Alert](images/code-scanning-alerts.png) 59 | ![Sample Flow](images/code-scanning-flow.png) 60 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'DefenseCode ThunderScan Action' 2 | description: 'Source code scanning for vulnerabilities using DefenseCode ThunderScan SAST solution' 3 | author: 'DefenseCode' 4 | branding: 5 | icon: alert-circle 6 | color: red 7 | inputs: 8 | client_path: 9 | required: true 10 | description: 'Provide ThunderScan API client path' 11 | default: '' 12 | api_url: 13 | required: true 14 | description: 'Provide ThunderScan API URL' 15 | default: '' 16 | api_token: 17 | required: true 18 | description: 'Provide ThunderScan API Token' 19 | default: '' 20 | engines: 21 | required: false 22 | description: 'Provide one or more (comma separated) ThunderScan SAST engine IDs to be used for the analysis' 23 | default: '' 24 | runs: 25 | using: "composite" 26 | steps: 27 | - run: ${{ inputs.client_path }} 28 | shell: bash 29 | env: 30 | API_TOKEN: ${{ inputs.api_token }} 31 | API_URL: ${{ inputs.api_url }} 32 | ENGINES: ${{ inputs.engines }} 33 | -------------------------------------------------------------------------------- /example-workflow.yml: -------------------------------------------------------------------------------- 1 | name: "ThunderScan Analysis" 2 | 3 | # Controls when the action will run. Triggers the workflow on push or pull request 4 | # events but only for the master branch 5 | on: 6 | push: 7 | branches: [ master ] 8 | pull_request: 9 | branches: [ master ] 10 | 11 | # A workflow run is made up of one or more jobs that can run sequentially or in parallel 12 | jobs: 13 | # This workflow contains a single job called "build" 14 | build: 15 | # The type of runner that the job will run on 16 | runs-on: thunderscan-test 17 | 18 | # Steps represent a sequence of tasks that will be executed as part of the job 19 | steps: 20 | # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it 21 | - uses: actions/checkout@v2 22 | 23 | # ThunderScan Action 24 | - name: ThunderScan 25 | uses: defensecode/thunderscan-action@v1.0 26 | with: 27 | api_url: 'http://localhost:8999' 28 | client_path: '/opt/thunderscan/tsactioncli' 29 | api_token: ${{ secrets.THUNDERSCAN_TOKEN }} 30 | 31 | - name: Expose report 32 | uses: actions/upload-artifact@v2 33 | with: 34 | name: SARIF results 35 | path: thunderscan-sarif.json 36 | # Uploads thunderscan-sarif.json to GitHub repository using the upload-sarif action 37 | - uses: github/codeql-action/upload-sarif@v1 38 | with: 39 | # Path to SARIF file relative to the root of the repository 40 | sarif_file: thunderscan-sarif.json 41 | -------------------------------------------------------------------------------- /images/code-scanning-alerts.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defensecode/thunderscan-action/6320c03281cdc5b0d0ca4c4857dfcfafc7839eed/images/code-scanning-alerts.png -------------------------------------------------------------------------------- /images/code-scanning-flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defensecode/thunderscan-action/6320c03281cdc5b0d0ca4c4857dfcfafc7839eed/images/code-scanning-flow.png -------------------------------------------------------------------------------- /images/defensecode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defensecode/thunderscan-action/6320c03281cdc5b0d0ca4c4857dfcfafc7839eed/images/defensecode.png -------------------------------------------------------------------------------- /images/github.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defensecode/thunderscan-action/6320c03281cdc5b0d0ca4c4857dfcfafc7839eed/images/github.png -------------------------------------------------------------------------------- /images/thunderscan-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/defensecode/thunderscan-action/6320c03281cdc5b0d0ca4c4857dfcfafc7839eed/images/thunderscan-icon.png --------------------------------------------------------------------------------