search

Checkmarx / 2ms

Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git
Apache License 2.0
79 stars 18 forks source link

Add GitHub Actions Support to Checkmarx 2MS Tool #39

Open bryantschuck opened 1 year ago

bryantschuck commented 1 year ago

Description: The Checkmarx 2MS tool is a powerful secret leakage detection tool that helps developers identify sensitive data and other secrets that may have been unintentionally leaked within their code repositories. To integrate this tool effectively into the development workflow, we need to add support for GitHub Actions to Checkmarx 2MS.

Technical Details: To add GitHub Actions support to Checkmarx 2MS, we will create a custom action that can be used within GitHub workflows. This action will leverage the Checkmarx 2MS tool to scan a specified code repository for potential secret leakage issues and provide detailed results to the user. The action should be configurable, allowing users to specify the repository to scan, the API key to use for authentication, and any other relevant options.

Once the custom action is created, we can add it to the GitHub Marketplace, making it easily accessible for users. Additionally, we will provide documentation on how to integrate this action into existing workflows and best practices for using the Checkmarx 2MS tool for secret leakage detection within the GitHub ecosystem.

baruchiro commented 1 year ago

Depends on #30

kaplanlior commented 1 year ago

Can we integrate into https://github.com/Checkmarx/ast-github-action/ instead of maintaining yet another GH ?

CC @pedrompflopes

baruchiro commented 1 year ago

@kaplanlior I see people using this tool freely in their indie projects, without being Checkmarx customers.

Having said that, we can guide them on how to use ast-github-action for only 2ms.

baruchiro commented 1 year ago

I'm suggesting waiting for #66

jossef commented 1 year ago

I suggest let's do both, 1) creating a GitHub action for 2ms 2) contributing a PR for ast-github-action with the additions

this will be flexible for all users

kaplanlior commented 1 year ago

I talked with Pedro and he also thinks we should have our own github action for the open source project.

baruchiro commented 1 year ago

Two examples of implementing a Github Action based on Docker:

  1. ast-github-action
  2. kics-github-action

They both contain an entrypoint.sh file with a big code to handle action inputs, and I want to avoid it (but I'm not sure if I can). One option is to download the 2ms from the release as executable, instead of running it as Docker Container, but I'm not sure if it is the better way.

baruchiro commented 1 year ago

Regarding ast-github-action, talk with Pedro. Follow the kics-github-action flow.

baruchiro commented 1 year ago

Check the possibility of uploading a report to mark the secret on the code, like in Kics.

See why gitleaks not using Github Code Scanning.

But we can do annotations like in Kics.

baruchiro commented 1 year ago

Should be assigned to @ShimonMizrahi