├── .github └── workflows │ └── release.yml ├── LICENSE.txt ├── README.md ├── Security.md ├── VERSION ├── action.yml └── docs └── assets └── logo.png /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | branches: [main] 6 | 7 | permissions: 8 | id-token: write 9 | contents: write 10 | 11 | jobs: 12 | github-release: 13 | name: "Release" 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: "Checkout" 17 | uses: actions/checkout@v3 18 | with: 19 | fetch-depth: 0 20 | fetch-tags: true 21 | - name: "Get version" 22 | id: get-version 23 | run: | 24 | echo "new_version=v$(cat VERSION)" >> ${GITHUB_OUTPUT} 25 | - name: "Create release" 26 | uses: actions/create-release@v1 27 | env: 28 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 29 | with: 30 | tag_name: ${{ steps.get-version.outputs.new_version }} 31 | release_name: Release ${{ steps.get-version.outputs.new_version }} 32 | draft: false 33 | - name: "Delete latest" 34 | env: 35 | GH_TOKEN: ${{ github.token }} 36 | run: | 37 | gh release delete "latest" --cleanup-tag --yes --repo ${{ github.repository }} || true 38 | - name: "Create release" 39 | uses: actions/create-release@v1 40 | env: 41 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 42 | with: 43 | tag_name: "latest" 44 | release_name: "Release latest" 45 | draft: false 46 | - name: "Override latest" 47 | env: 48 | GH_TOKEN: ${{ github.token }} 49 | run: | 50 | gh release edit "latest" --draft=false --latest 51 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Seal Cybersecurity Solutions 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Seal CLI Action 2 | 3 | The CLI action allows users to easily incorporate the [Seal CLI](https://github.com/seal-community/cli) into their GitHub Actions based CI pipeline. 4 | The Seal CLI allows users to easily replace vulnerable packages in their projects with sealed, vulnerability-free versions, which are available for download from Seal's artifact server. To read more see the [documentation](https://docs.sealsecurity.io/fundamentals/cli). 5 | 6 | ## Usage 7 | Incorporating the CLI action is very simple. Just add the following code immediately after pulling the packages (for example `npm install`) and before any other step. 8 | ```yml 9 | name: seal cli 10 | uses: seal-community/cli-action@latest 11 | with: 12 | mode: fix 13 | fix_mode: all 14 | token: 15 | project: 16 | ``` 17 | 18 | ## Flags 19 | `fix_mode`: If the `mode` is `fix`, then the `fix_mode` sets how the CLI decides what packages to fix. `local` only fixes packages according to the [local configuration file](https://docs.sealsecurity.io/fundamentals/cli/fixing-specific-packages), whereas `all` fixes everything that has an available sealed version. The default value is `local`. 20 | 21 | `mode`: The mode to run the CLI. `scan` to analyze the dependencies and identify vulnerable packages. `fix` to replace vulnerable packages with their sealed versions. The default value is `scan`. 22 | 23 | `project`: The project ID, which uniquely identifies the project on the Seal platform. **If the project was already defined in the Seal platform (for example if its source code was scanned by the Seal app), then use the same ID here. Otherwise, the Seal platform will think this is a different project.** If the project does not already have a project ID, then explicitiy set a new one here. The project ID must only include ASCII letters, digits, underscores, hyphens or periods, and mustn't be over 255 characters long. By default the empty string. 24 | 25 | `summary`: If the `mode` is `fix`, then the path to a summary file recording what packages were replaced. By default the file is not generated. 26 | 27 | `target`: The root directory of the project you wish to fix. By default the current working directory of the GitHub action. 28 | 29 | `token`: The authentication token to the Seal artifact server. 30 | 31 | `verbosity`: Sets the verbosity level of the CLI: `v`, `vv` or `vvv`. By default `v`. 32 | 33 | `version`: The CLI version to use, for example v0.1.0. By default the latest version will be used. 34 | 35 | ## How to Contribute 36 | We're always looking for feedback, discuss possible integrations and receive feature requests. 37 | Please open issues, pull requests, or contact us at [contribute@seal.security](mailto:contribute@seal.security). 38 | 39 | ## About Seal Security 40 | 41 | ![Seal Security Logo](docs/assets/logo.png) 42 | 43 | Seal Security is an early-stage cybersecurity startup committed to simplifying vulnerability remediation for developers and application security practitioners. For more details, visit our [website](https://seal.security). 44 | -------------------------------------------------------------------------------- /Security.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Reporting a Vulnerability 4 | 5 | If you find a vulnerability in our code please send the details to [security@seal.security](mailto:security@seal.security). 6 | Include as much information as possible to enable us to promptly reproduce the issue and release an appropriate fix. 7 | 8 | **Do not open a public issue, as it can affect the security of the existing userbase.** 9 | -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | 0.1.13 2 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: "Seal CLI Action" 2 | 3 | description: "Runs Seal CLI on a target directory" 4 | 5 | author: "Seal Community" 6 | 7 | branding: 8 | icon: "shield" 9 | color: "blue" 10 | 11 | inputs: 12 | version: 13 | description: "CLI version to use, same as a tag - e.g. v0.1.0; empty will use latest" 14 | default: "" 15 | target: 16 | description: "Path to manifest file declaring the dependencies, such as 'requirements.txt', 'package-lock.json', etc. " 17 | default: "./requirements.txt" 18 | mode: 19 | description: "Fix or scan; scan requires seal token as env" 20 | default: "scan" 21 | fix_mode: 22 | description: "local or all; fix according to the local config or fix everything" 23 | default: "local" 24 | verbosity: 25 | description: "Verbosity: v, vv, vvv" 26 | default: "v" 27 | summary: 28 | description: "Path to summary file, by default does not generate; only relevant for 'fix' mode" 29 | default: "" 30 | project: 31 | description: "Used as part of cli authentication for fix command, can be any* value" 32 | default: "" 33 | upload_scan_results: 34 | description: "Uploads the list of vulnerable packages to the Seal platform" 35 | default: "false" 36 | CLI_TOKEN: 37 | required: false # required for fix mode 38 | description: "Authentication token to the seal artifact server" 39 | token: 40 | required: false # required for fix mode. only one of CLI_TOKEN and token is required 41 | description: "Authentication token to the seal artifact server" 42 | 43 | runs: 44 | using: "composite" 45 | steps: 46 | - name: "Download CLI - Other" 47 | if: runner.os != 'Linux' 48 | shell: bash 49 | run: | 50 | echo "::error::Unsupported runner os: ${{ runner.os }}" 51 | exit 1 52 | - name: "Set Fix Mode" 53 | id: fix_mode_flag 54 | shell: bash 55 | if: inputs.mode == 'fix' 56 | run: | 57 | echo "fix_mode_flag=--mode ${{ inputs.fix_mode }}" >> ${GITHUB_OUTPUT} 58 | - name: "Determine token value" 59 | id: determine_token 60 | shell: bash 61 | run: | 62 | if [[ "${{ inputs.token }}" ]]; then 63 | echo "token=${{ inputs.token }}" >> ${GITHUB_OUTPUT} 64 | elif [[ "${{ inputs.CLI_TOKEN }}" ]]; then 65 | echo "token=${{ inputs.CLI_TOKEN }}" >> ${GITHUB_OUTPUT} 66 | else 67 | echo "token=" >> ${GITHUB_OUTPUT} 68 | fi 69 | - name: "Download CLI - Linux" 70 | id: download 71 | shell: bash 72 | if: runner.os == 'Linux' 73 | env: 74 | GH_TOKEN: ${{ github.token }} 75 | cli-repo: "seal-community/cli" 76 | run: | 77 | ZIP_NAME="seal-linux-amd64*.zip" # wildcard to support version in asset name 78 | # not concurrent-safe for multiple jobs 79 | echo "Downloading zip ${ZIP_NAME}" 80 | gh --repo "${{ env.cli-repo }}" release download "${{ inputs.version }}" -p "${ZIP_NAME}" --output "${{ runner.temp }}/${ZIP_NAME}" 81 | unzip ${{ runner.temp }}/${ZIP_NAME} -d ${{ runner.temp }} 82 | echo "cli_path=${{ runner.temp }}/seal" >> ${GITHUB_OUTPUT} 83 | ${{ runner.temp }}/seal version 84 | - name: "Run CLI" 85 | shell: bash 86 | run: | 87 | echo "Running cli from ${{ steps.download.outputs.cli_path }}" 88 | SUMMARY_PARAM="" 89 | if [[ "${{ inputs.summary }}" != "" ]] && [[ "${{ inputs.mode }}" == "fix" ]]; then 90 | SUMMARY_PARAM="--summarize ${{ inputs.summary}}" 91 | fi 92 | UPLOAD_SCAN_RESULTS="" 93 | if [[ "${{ inputs.upload_scan_results }}" == "true" ]]; then 94 | UPLOAD_SCAN_RESULTS="--upload-scan-results" 95 | fi 96 | SEAL_PROJECT=${{ inputs.project }} SEAL_TOKEN=${{ steps.determine_token.outputs.token }} ${{ steps.download.outputs.cli_path }} -${{ inputs.verbosity }} ${{ inputs.mode }} ${{ steps.fix_mode_flag.outputs.fix_mode_flag }} ${{ inputs.target }} ${SUMMARY_PARAM} ${UPLOAD_SCAN_RESULTS} 97 | -------------------------------------------------------------------------------- /docs/assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seal-community/cli-action/67bb62017ae3d29ad02bc28e36fad4a003b8e680/docs/assets/logo.png --------------------------------------------------------------------------------