Integrating Conviso Platform with Github Actions
Introduction
With Conviso Platform integrated with Github Actions in your CI/CD Pipeline, you can automate and streamline your security processes, ensuring that your applications undergo thorough security assessments throughout the development lifecycle.
You can run the Conviso Platform AST (Application Security Testing). The tool offers Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Code Review directly on your pipeline.
The CLI is a docker image in this integration for all execution and connection with the Conviso Platform.
Prerequisites
Before you can use Conviso Platform with Github Actions, you need to make sure that:
You have your API Key, a code that identifies you to Conviso Platform. Find yours using this tutorial.
You must also set two environment variables for the runner: FLOW_API_KEY and FLOW_PROJECT_CODE. These codes tell Conviso Platform which project and account you are using. To do this on Github, you must:
- Go to your project’s Settings > Secrets and Variables and expand the Actions section.
- Select New Repository Secret and fill in the details.
After creating a variable, you can use it in the
.ymlconfiguration file or job scripts.- To make the
.ymlfile, go to your repository page and click on “Actions” and “set up a workflow yourself”:
- To make the
This will allow you to write the code we will use in this tutorial!
Usage
By the end of this tutorial, you will know how to:
- Perform a Conviso AST scan to analyze your application's security
- Run a scan exclusively using Conviso SAST
- Run a scan exclusively using Conviso SCA
Learn more about Conviso Platform integrations!
Perform a Conviso AST scan to analyze your application's security
Harness the power of Application Security Testing (AST) by incorporating the Conviso AST scan into your application's security analysis. This versatile tool combines Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Code Review capabilities, providing comprehensive security analysis directly within your pipeline.
Follow the steps below to integrate Conviso AST seamlessly into your pipeline, creating a comprehensive solution within your .yml file:
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
conviso-ast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisocli
env:
FLOW_API_KEY: ${{secrets.CONVISO_API_KEY}}
FLOW_PROJECT_CODE: "<project code>"
steps:
- uses: actions/checkout@v3
- name: Run AST
run: conviso ast run
Note: To scan your repository with AST, you need to have a project registered on Conviso Platform. The "Project Code" is found on the specific project page. You also need your API Key, which you can find using this tutorial.
The identified vulnerabilities will be automatically sent to your Project on Conviso Platform. Now you can use the Vulnerabilities Management resource to work on the correction flow.
Run a scan exclusively using Conviso SAST
The steps below will show you what your .yml must have to perform Static Application Security Testing (SAST):
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
conviso-sast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisocli
env:
FLOW_API_KEY: ${{secrets.CONVISO_API_KEY}}
FLOW_PROJECT_CODE: "<project code>"
steps:
- uses: actions/checkout@v3
- name: Run SAST
run: conviso sast run
Run a scan exclusively using Conviso SCA
The steps below will show you what your .yml must have to perform Software Composition Analysis (SCA):
name: CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
conviso-sca:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisocli
env:
FLOW_API_KEY: ${{secrets.CONVISO_API_KEY}}
FLOW_PROJECT_CODE: "<project code>"
steps:
- uses: actions/checkout@v3
- name: Run SCA
run: conviso sca run
Support
If you have any questions or need help using our product, please don't hesitate to contact our support team.
Resources
By exploring our content, you'll find resources to help you understand the benefits of the Conviso Platform integrations for Secure CI/CD Pipeline:
AppSec: Integrations with CI/CD tools through Conviso Platform: Follow this article to understand how we can integrate your main tools within a single platform.
