search

veracode / veracode-uploadandscan-action

This action uploads and scans code to Veracode for a static policy (or sandbox) scan.
MIT License
30 stars 29 forks source link

do not hide API ID #41

Closed swiewiora closed 1 year ago

swiewiora commented 1 year ago

This pull requests logs API ID (vid) parameter in order to simplify troubleshooting of common authentication and access issues.

VERACODE_API_ID in example workflows main.yml and policyscan.yml are moved from secrets to variables.

Required Information
====================
appname: swiewiora/veracode-uploadandscan-action
createprofile: false
filepath: binaries_to_upload/*.jar
version: 5467649408
vid: ceabac4a1736896a699eb5537ab658af
vkey: ***

...

java -jar VeracodeJavaAPI.jar \
        -filepath binaries_to_upload/*.jar \
        -version "5467649408" \
        -action "uploadandscan" \
        -appname "swiewiora/veracode-uploadandscan-action" \
        -vid "ceabac4a1736896a699eb5537ab658af" \
        -vkey "***" \
        -createsandbox="true" \
        -sandboxname "Github - refs/heads/fix/vid" \
        -scantimeout "15" \
        -autoscan "true" \
        -criticality "VeryHigh" \
        -createprofile "false" \
julz0815 commented 1 year ago

the API ID is the first part of the users credentials, I would not suggest to display them at all. At least not in any automated way. Maybe for debugging that is interesting to see, but I would always choose credentials to be a secret.