Scan is now in maintenance mode. If you've just come across this project, then probably best to look at any alternatives. Read more here.
████████╗ ██████╗ █████╗ ███╗ ██╗
███╔════╝██╔════╝██╔══██╗████╗ ██║
████████╗██║ ███████║██╔██╗ ██║
╚╚════██║██║ ██╔══██║██║╚██╗██║
████████║╚██████╗██║ ██║██║ ╚████║
╚╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
Security Scan is a free and open-source security tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan without the need for any remote server! The product supports a range of integration options: from scanning every push via a git hook to scanning every build and pull-request in the CI/CD pipelines.
Simply add the following snippet to your GitHub actions workflow.
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
To override the built-in language detection, use the type
parameter.
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
with:
type: "credscan,java,depscan"
For a full example, refer to the workflow file used by Scan to scan itself.
Scan summary would get printed directly on the action build log as shown.
The action also produces HTML reports for the various scans. To upload the reports as build artifacts to your pipeline use the upload-artifact
step as shown:
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
with:
type: "credscan,python"
env:
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/upload-artifact@v1
with:
name: reports
path: reports
In the above configuration, two environment variables are used to customise the behaviour:
""
when using the Code Scanning
feature on GitHubScan can attempt to build certain project types automatically. Java, node.js, rust, go and csharp are currently supported. To enable auto-build, set the environment variable SCAN_AUTO_BUILD
as shown:
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
with:
type: "credscan,python"
env:
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_AUTO_BUILD: true
Please refer to the documentation on using ShiftLeft Scan in your pipelines.
Developers behind scan are available on a dedicated discord channel for questions and support. For defects, raising an issue on GitHub is best.