A GitHub Action to analyze your security requirements that are represented in the form of GitHub Issues. If Action classifies Issue as a security requirement, then it sets a label on it. Additionally, it recommends Security Technical Implementation Guides(STIGs) that cover the requirement. Moreover, it suggests already implemented tests on the recommended STIGs from RQCODE repository. In case of tests absence on proposed STIGs, automatically creates Issue in RQCODE repository asking to implement it.
You can use the Security Requirement Analysis GitHub Action in a GitHub Actions Workflow by configuring a YAML-based workflow file, e.g. .github/workflows/security-requirement.yaml
, with the following:
name: Analyse security requirement
on:
# triggers on Issue opened event
issues:
types:
- opened
jobs:
label:
runs-on: ubuntu-latest
name: Find out if Issue is security requirement
steps:
- uses: actions/checkout@v3
- uses: VeriDevOps/security-issue-classification@main
name: Label an issue, suggest STIGs and Tests
with:
rqcode-token: ${{ secrets.RQCODE_TOKEN }}
rqcode-token
Required. A GitHub access token (PAT) with public_repo access in the repo scope. NOTE. The automatically provided token e.g. ${{ secrets.GITHUB_TOKEN }}
can not be used, GitHub prevents this token from being able to create issues in other repositories(in our case, RQCODE repository). The reasons are explained in the GitHub Community Forum.
The solution is to manually create a PAT and store it as a secret e.g. ${{ secrets.RQCODE_TOKEN }}
label
Optional. The label to mark issue as security requirement. Default: 'security'
stigs-comment
Optional. Enable STIGs and tests suggestion from RQCODE repository through issue commenting. Default: 'true'
token
Optional. A github token used for creating an octoclient for making API calls for labeling and commenting Issues. If you want to use another user, you can specify its token. Default: ${{ github.token }}
username
Required. Username to sign-up in ARQAN microservice. Provide a unique username for ARQAN service in ${{ secrets.ARQAN_USER }}
.
password
Required. Password to sign-up in ARQAN microservice. Provide a secure password for ARQAN service in ${{ secrets.ARQAN_PASS }}
.
Contributions are welcome! See CONTRIBUTING.md for step-by-step instructions.
If you need help or have a question, let us know via a GitHub issue with type Question
.
This project is licensed under the Apache License - see the LICENSE file for details.