├── Dockerfile
├── action.yml
└── README.md


/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM public.ecr.aws/portswigger/dastardly:latest
2 | 
3 | USER root


--------------------------------------------------------------------------------
/action.yml:
--------------------------------------------------------------------------------
 1 | name: 'Dastardly Scan Action'
 2 | description: 'Runs a Dastardly scan against a target site'
 3 | author: 'PortSwigger'
 4 | inputs:
 5 |   target-url:
 6 |     description: 'The full url (including scheme) of the site to scan'
 7 |     required: true
 8 |   output-filename:
 9 |     description: 'The filename used for the scan report. This filepath relates to the dastardly container, and will exist in the github workspace (/github/workspace)'
10 |     required: false
11 |     default: dastardly-report.xml
12 | runs:
13 |   using: 'docker'
14 |   image: 'Dockerfile'
15 |   env:
16 |     DASTARDLY_TARGET_URL: ${{ inputs.target-url }}
17 |     DASTARDLY_OUTPUT_FILE: /github/workspace/${{ inputs.output-filename }}
18 | branding:
19 |   icon: 'activity'
20 |   color: 'green'


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Dastardly Scan Action
 2 | 
 3 | This action runs a Dastardly vulnerability scan against a target site. On completion, a JUnit XML report is generated containing information about the vulnerabilities found, where
 4 | they were located, additional information about the vulnerability and links to our learning resources with suggestions on how to fix them.
 5 | 
 6 | ## About Dastardly
 7 | 
 8 | [Dastardly](https://portswigger.net/burp/dastardly) is a free, lightweight web application security scanner for your CI/CD pipeline. It is designed specifically for web developers,
 9 | and checks your application for seven security issues that are likely to interest you during software development. Dastardly is based on the same scanner as
10 | [Burp Suite](https://portswigger.net/burp) (Burp Scanner).
11 | 
12 | For full documentation on using Dastardly, please consult the [Dastardly documentation](https://portswigger.net/burp/documentation/dastardly).
13 | 
14 | ## Inputs
15 | 
16 | ## `target-url`
17 | 
18 | **Required** The full URL (including scheme) of the site to scan.
19 | 
20 | ## `output-filename`
21 | 
22 | **Optional** The name of the output report file. This will be stored in the GITHUB_WORKSPACE (/github/workspace) directory.
23 | 
24 | **Default** `dastardly-report.xml`
25 | 
26 | ## Examples
27 | Below are some examples of how to use the action by running a Dastardly scan against our very own [Gin and Juice Shop](https://ginandjuice.shop) site. This is a deliberately
28 | vulnerable web application designed for testing web vulnerability scanners.
29 | 
30 | ## Basic Usage
31 | ```
32 | steps:
33 |   - name: Run Dastardly Action Step
34 |     uses: PortSwigger/dastardly-github-action@main
35 |     with:
36 |       target-url: 'https://ginandjuice.shop'
37 | ```
38 | 
39 | ## Suggested Usage
40 | Dastardly produces a JUnit XML report of the scan on completion. This report will only include vulnerability details if vulnerabilities were found by the scanner.
41 | 
42 | By default, if Dastardly finds any issue with a severity level of `MEDIUM` or `HIGH`, it will fail a workflow build.
43 | 
44 | This may be fine for your use case, but you may want to consider pairing this action with a JUnit XML parser that runs whether or not the Dastardly action step succeeded. You can
45 | do this by adding `continue-on-error: true` to the Dastardly action step, or adding a condition for the parser to run regardless of success or failure.
46 | 
47 | ```
48 | steps:
49 |   - name: Run Dastardly Action Step
50 |     continue-on-error: true                        # This allows subsequent steps to run even if this step fails
51 |     uses: PortSwigger/dastardly-github-action@main
52 |     with:
53 |       target-url: 'https://ginandjuice.shop'
54 | 
55 |   # You can replace this next step with any JUnit XML parser of your choosing
56 |   - name: Publish Test Report
57 |     if: always()                                    # Forces this step to always run
58 |     uses: mikepenz/action-junit-report@v3
59 |     with:
60 |       report_paths: '**/dastardly-report.xml'       # You need to update this path if you pass in a different output filename to the Dastardly action
61 |       require_tests: true
62 | ```
63 | 
64 | We suggest passing `require_tests: true` to this parser so that your workflow will fail if it could not find your specified output file.
65 | 
66 | 
67 | Documentation for the parser used in this example can be found [here](https://github.com/marketplace/actions/junit-report-action).
68 | 


--------------------------------------------------------------------------------