Bring VulnCheck into your CI/CD pipeline.
This Github Action uses the VulnCheck CLI to integrate security-related tasks into your CI/CD pipeline.
This example will scan for vulnerabilities and report them as a comment on a pull request
name: Scan with VulnCheck
on:
pull_request:
branches:
- main
permissions: write-all
jobs:
scan:
name: Scan with VulnCheck
runs-on: ubuntu-latest
steps:
- uses: vulncheck-oss/[email protected]
with:
command: scan
token: ${{ secrets.VC_TOKEN }}The only required parameter for any command is the token parameter. This is
your VulnCheck API token that can be created in hte portal.
Important
We recommend you store this token as a secret in either repository or organization.
The following are optional parameters that can be used with the scan command
| Name | Description | Default |
|---|---|---|
scan-path |
Path to the directory to scan | ./ |
scan-cvss-base-threshold |
CVSS base score threshold | 0 |
scan-cvss-temporal-threshold |
CVSS temporal score threshold | 0 |
scan-cve-details |
Include an annotation for every found CVE showing package type, cataloger, and locations | false |
Note
Specifying either a base or temporal threshold will change the pull request comments to split the vulnerabilities into two sections, the first will be results found above the threshold and the second will be results found below.
Below is an example output of annotations if scan-cve-details is se to true:
Notice: CVE-2021-23337 found in npm package lodash in /package-lock.json using javascript-lock-cataloger
Notice: CVE-2021-44906 found in npm package minimist in /package-lock.json using javascript-lock-cataloger
This action requires the write-all permission in order to comment pull
requests.
permissions: write-all