Integrating Conviso Platform with Github Actions

Introduction

With Conviso Platform integrated with Github Actions in your CI/CD Pipeline, you can automate and streamline your security processes, ensuring that your applications undergo thorough security assessments throughout the development lifecycle.

You can run the Conviso Platform AST (Application Security Testing). The tool offers Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Code Review directly on your pipeline.

The CLI is a docker image in this integration for all execution and connection with the Conviso Platform.

Explore our Integration page to learn more and supercharge your Application Security Program with Conviso Platform.

Prerequisites

Before you can use Conviso Platform with Github Actions, you need to make sure that:

You have your API Key, a code that identifies you to Conviso Platform. Find yours using this tutorial.
You must also set an environment variable for the runner: CONVISO_API_KEY. This code tells Conviso Platform which account you are using. To do this on Github, you must:
- Go to your project’s Settings > Secrets and Variables and expand the Actions section.
- Select New Repository Secret and fill in the details.
After creating a variable, you can use it in the .yml configuration file or job scripts.
- To make the .yml file, go to your repository page and click on “Actions” and “set up a workflow yourself”:

This will allow you to write the code we will use in this tutorial!

Usage

By the end of this tutorial, you will know how to:

Perform a Conviso AST scan to analyze your application's security
Run a scan exclusively using Conviso SAST
Run a scan exclusively using Conviso SCA

Learn more about Conviso Platform integrations!

Perform a Conviso AST scan to analyze your application's security

Harness the power of Application Security Testing (AST) by incorporating the Conviso AST scan into your application's security analysis. This versatile tool combines Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Code Review capabilities, providing comprehensive security analysis directly within your pipeline.

Follow the steps below to integrate Conviso AST seamlessly into your pipeline, creating a comprehensive solution within your .yml file:

name: CI
on:
 push:
   branches: [ main ]
 pull_request:
   branches: [ main ]

jobs:
 conviso-ast:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/convisocli
     env:
       CONVISO_API_KEY:  ${{secrets.CONVISO_API_KEY}}
   steps:
   - uses: actions/checkout@v4

   - name: Run AST
     run: conviso ast run

The identified vulnerabilities will be automatically sent to your Asset on Conviso Platform. Now you can use the Vulnerabilities resource to work on the correction flow.

Running the Conviso Containers

To perform the Conviso Containers, you can use the example configuration below:

name: CI
on:
 workflow_dispatch:
 push:
   branches: [ main ]
jobs:
 conviso-ast:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/convisocli:latest
     env:
       CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
   steps:
   - uses: actions/checkout@v4
   - name: Run AST
     run: |
          export DOCKER_BUILDKIT=1
          export IMAGE_NAME="my-image"
          export IMAGE_TAG="latest"
          docker build -t $IMAGE_NAME:$IMAGE_TAG .
          conviso container run "$IMAGE_NAME:$IMAGE_TAG"

If you'd like to scan a public image available on DockerHub, modify the configuration as shown below:

name: CI
on:
 workflow_dispatch:
 push:
   branches: [ main ]
jobs:
 conviso-ast:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/convisocli:latest
     env:
       CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
   steps:
   - uses: actions/checkout@v4
   - name: Run AST
     run: |
          export IMAGE_NAME="vulnerables/web-dvwa"
          export IMAGE_TAG="latest"
          docker pull $IMAGE_NAME:$IMAGE_TAG
          conviso container run "$IMAGE_NAME:$IMAGE_TAG"

note

These are only examples. You are required to provide the image for scanning, and you can use alternative methods based on your environment.

The IMAGE_NAME and IMAGE_TAG are variables that should be adjusted based on your project. For example, you may want to name the image after your project or version it differently.

Run a scan exclusively using Conviso SAST

The steps below will show you what your .yml must have to perform Static Application Security Testing (SAST):

name: CI
on:
 push:
   branches: [ main ]
 pull_request:
   branches: [ main ]

jobs:
 conviso-sast:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/convisocli
     env:
       CONVISO_API_KEY:  ${{secrets.CONVISO_API_KEY}}
   steps:
   - uses: actions/checkout@v4

   - name: Run SAST
     run: conviso sast run

Run a scan exclusively using Conviso SCA

The steps below will show you what your .yml must have to perform Software Composition Analysis (SCA):

name: CI
on:
 push:
   branches: [ master ]
 pull_request:
   branches: [ master ]

jobs:
 conviso-sca:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/convisocli
     env:
       CONVISO_API_KEY:  ${{secrets.CONVISO_API_KEY}}
   steps:
   - uses: actions/checkout@v4

   - name: Run SCA
     run: conviso sca run

Manually Triggering the Workflow

In addition to automated triggers, GitHub Actions workflows can be executed manually. This is particularly useful for running specific tests or scans on demand. Below are the steps to enable and use this feature:

Configuring the Workflow for Manual Execution

To allow manual execution of the workflow, you need to add the workflow_dispatch event to your .yml configuration file. Here's an example:

name: CI
on:
  workflow_dispatch:

jobs:
  conviso-ast:
    runs-on: ubuntu-latest
    container:
      image: convisoappsec/convisocli
      env:
        CONVISO_API_KEY: ${{ secrets.CONVISO_API_KEY }}
    steps:
      - uses: actions/checkout@v4
      - name: Run AST
        run: conviso ast run

Running the Workflow Manually

Navigate to your GitHub repository.
Click on the Actions tab at the top of the repository page.
Select the workflow you want to run from the list on the left.
Click the Run workflow button at the top right of the page.
Choose the branch or parameters (if applicable) and confirm.

After following these steps, the workflow will start executing.

Troubleshooting

Enabling External Actions for GitHub Actions

If you encounter issues running workflows that rely on external actions, such as actions/checkout, ensure that your account or repository's settings allow the use of external actions. More information here.

Unlock the full potential of your Application Program with Conviso Platform integrations. Visit our Integration page now to get started.

Support

If you have any questions or need help using our product, please don't hesitate to contact our support team.

Resources

By exploring our content, you'll find resources to help you understand the benefits of the Conviso Platform integrations for Secure CI/CD Pipeline:

AppSec: Integrations with CI/CD tools through Conviso Platform: Follow this article to understand how we can integrate your main tools within a single platform.

Introduction​

Prerequisites​

Usage​

Perform a Conviso AST scan to analyze your application's security​

Running the Conviso Containers​

Run a scan exclusively using Conviso SAST​

Run a scan exclusively using Conviso SCA​

Manually Triggering the Workflow​

Configuring the Workflow for Manual Execution​

Running the Workflow Manually​

Troubleshooting​

Enabling External Actions for GitHub Actions​

Support​

Resources​