Skip to content

ca-risken/security-review

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
.github/workflows
.github/workflows
 
 
image
image
 
 
pkg
pkg
 
 
test
test
 
 
.env.sample
.env.sample
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
action.yaml
action.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

security-review

Security Code Review using GitHub Actions 🤖.

  • SecretScanning: Scan for sensitive information committed to source code.
  • CodeScanning: Perform static analysis of source code to identify problem areas.
  • Comment: Put review comments on PRs.

image

This tool allows you to shift-left security in your development environment💪

Usage

Create workflow yaml (.github/workflows/security-review.yaml) on your repository.

name: Security Code Review on PR
on:
  pull_request:
    branches:
      - main
    types: [opened, synchronize]
jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write # risken review needs this permission to create a comment on the PR

    steps:
      - uses: actions/checkout@v4
      - uses: ca-risken/security-review@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

Integrate RISKEN

RISKEN is a platform for collecting security issues; Findings detected by Actions can be linked to the RISKEN environment for issue management, alerting, information sharing to the team, and analysis results from the generated AI.

- uses: ca-risken/security-review@v1
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    risken_console_url: ${{ env.RISKEN_CONSOLE_URL }}
    risken_api_endpoint: ${{ env.RISKEN_API_ENDPOINT }}
    risken_api_token: ${{ secrets.RISKEN_API_TOKEN }}
Pameters Description Required Default Examples
risken_console_url RISKEN Console URL no https://console.your-env.com
risken_api_endpoint RISKEN API Endpoint no https://api.your-env.com
risken_api_token RISKEN API Token no xxxxx

Other Options

- uses: ca-risken/security-review@v1
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    options: '--no-pr-comment --error'
Pameters Description Required Default Examples
--no-pr-comment If true, do not post PR comments (default: false) no false
--error Exit 1 if there are finding (default: false) no false

Test on local

Command Line Usage

$ go run main.go --help
risken-review command is a GitHub Custom Action to review pull request with Risken

Usage:
  risken-review [flags]

Flags:
      --error                        Exit 1 if there are findings (optional)
      --github-event-path string     GitHub event path
      --github-token string          GitHub token
      --github-workspace string      GitHub workspace path
  -h, --help                         help for risken-review
      --no-pr-comment                If true, do not post PR comments (optional)
      --risken-api-endpoint string   RISKEN API endpoint (optional)
      --risken-api-token string      RISKEN API token for authentication (optional)
      --risken-console-url string    RISKEN Console URL (optional)

Use Docker

Preparation

$ cp .env.sample .env
$ vi .env # fix your token

Run docker

$ make run

See your test comment

#1

Push image for v1

$ make push TAG=v1

About

RISKEN Security Code Review using GitHub Actions.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 6

v1 Latest
Jan 10, 2024
+ 5 releases

Packages

No packages published

Languages