Integrating Conviso Platform with Github Actions
Introductionβ
With Conviso Platform integrated with Github Actions in your CI/CD Pipeline, you can automate and streamline your security processes, ensuring that your applications undergo thorough security assessments throughout the development lifecycle.
You can run the Conviso Platform AST (Application Security Testing). The tool offers Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Code Review directly on your pipeline.
The security scans workflow is a docker image in this integration for all execution and connection with the Conviso Platform.
Prerequisitesβ
Before you can use Conviso Platform with Github Actions, you need to make sure that:
-
You have your API Key, a code that identifies you to Conviso Platform. Find yours using this tutorial.
-
You must also set an environment variable for the runner: CONVISO_API_KEY. This code tells Conviso Platform which account you are using. To do this on Github, you must:
- Go to your projectβs Settings > Secrets and Variables and expand the Actions section.
- Select New Repository Secret and fill in the details.
-
After creating a variable, you can use it in the
.ymlconfiguration file or job scripts.- To make the
.ymlfile, go to your repository page and click on βActionsβ and βset up a workflow yourselfβ:
- To make the
This will allow you to write the code we will use in this tutorial!
Usageβ
By the end of this tutorial, you will know how to:
- Perform a Conviso AST scan to analyze your application's security
- Run a scan exclusively using Conviso SAST
- Run a scan exclusively using Conviso SCA
- Trigger the workflow manually
- Scan after a pull request is merged
Learn more about Conviso Platform integrations!
Perform a Conviso AST scan to analyze your application's securityβ
Harness the power of Application Security Testing (AST) by incorporating the Conviso AST scan into your application's security analysis. This versatile tool combines Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Code Review capabilities, providing comprehensive security analysis directly within your pipeline.
Follow the steps below to integrate Conviso AST seamlessly into your pipeline, creating a comprehensive solution within your .yml file:
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
conviso-ast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Run AST
run: conviso ast run --vulnerability-auto-close
The identified vulnerabilities will be automatically sent to your Asset on Conviso Platform. Now you can use the Vulnerabilities resource to work on the correction flow.
Running the Conviso Containersβ
To perform the Conviso Containers, you can use the example configuration below:
name: CI
on:
workflow_dispatch:
push:
branches: [ main ]
jobs:
conviso-ast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast:latest
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Run AST
run: |
export DOCKER_BUILDKIT=1
export IMAGE_NAME="my-image"
export IMAGE_TAG="latest"
docker build -t $IMAGE_NAME:$IMAGE_TAG .
conviso container run "$IMAGE_NAME:$IMAGE_TAG"
If you'd like to scan a public image available on DockerHub, modify the configuration as shown below:
name: CI
on:
workflow_dispatch:
push:
branches: [ main ]
jobs:
conviso-ast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast:latest
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Run AST
run: |
export IMAGE_NAME="vulnerables/web-dvwa"
export IMAGE_TAG="latest"
docker pull $IMAGE_NAME:$IMAGE_TAG
conviso container run "$IMAGE_NAME:$IMAGE_TAG"
These are only examples. You are required to provide the image for scanning, and you can use alternative methods based on your environment.
The IMAGE_NAME and IMAGE_TAG are variables that should be adjusted based on your project. For example, you may want to name the image after your project or version it differently.
Run a scan exclusively using Conviso SASTβ
The steps below will show you what your .yml must have to perform Static Application Security Testing (SAST):
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
conviso-sast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Run SAST
run: conviso sast run
Run a scan exclusively using Conviso SCAβ
The steps below will show you what your .yml must have to perform Software Composition Analysis (SCA):
name: CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
conviso-sca:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Run SCA
run: conviso sca run
Manually Triggering the Workflowβ
In addition to automated triggers, GitHub Actions workflows can be executed manually. This is particularly useful for running specific tests or scans on demand. Below are the steps to enable and use this feature:
Configuring the Workflow for Manual Executionβ
To allow manual execution of the workflow, you need to add the workflow_dispatch event to your .yml configuration file. Here's an example:
name: CI
on:
workflow_dispatch:
jobs:
conviso-ast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast
env:
CONVISO_API_KEY: ${{ secrets.CONVISO_API_KEY }}
steps:
- uses: actions/checkout@v6
- name: Run AST
run: conviso ast run --vulnerability-auto-close
Running the Workflow Manuallyβ
- Navigate to your GitHub repository.
- Click on the Actions tab at the top of the repository page.
- Select the workflow you want to run from the list on the left.
- Click the Run workflow button at the top right of the page.
- Choose the branch or parameters (if applicable) and confirm.
After following these steps, the workflow will start executing.
Scanning After a Pull Request Is Mergedβ
The recommended trigger for Conviso AST is a push to your default branch, which is exactly what happens when a pull request is merged. This keeps the security state of your main branch continuously up to date β every change that reaches production code is scanned, with no redundant scans on intermediate feature branches.
Restrict the push trigger to your default branch (for example main) so the scan runs only on merges, not on every branch push:
name: Conviso AST
on:
push:
branches: [ main ]
jobs:
conviso-ast:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast:latest
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Run AST
run: conviso ast run --vulnerability-auto-close
We recommend using the :latest tag so every run picks up the most recent CLI release β including new analyzers, detection rules, and fixes β with no manual upgrades. Pin a specific version (for example convisoappsec/convisoast:3.0.8) only when you have a strict need for fully reproducible runs.
Pair this with a pull_request trigger (shown in the AST scan example above) to get feedback before merge, while the push trigger keeps your default branch authoritative after merge.
How to Configure Conviso AST and Security Gate with a Reusable Workflowβ
If you want to create a repository that works as a template so that other repositories can call its workflows, you can use a configuration like the one below.
Consumer Repositoryβ
In the repository that calls the reusable workflow (i.e., the consumer), you need to add a GitHub Actions workflow similar to the following:
name: CI
on:
push:
branches: [ staging ]
pull_request:
branches: [ staging ]
jobs:
run-conviso-ast:
uses: your-org/reusable-workflow/.github/workflows/main.yml@main
secrets:
CONVISO_API_KEY: ${{ secrets.CONVISO_API_KEY }}
You need to replace your-org/reusable-workflow/.github/workflows/main.yml@main with the path to your reusable workflow YAML file.
Reusable Workflow (Template Repository)β
In the template repository, where the reusable workflow is defined, add a workflow file similar to this:
on:
workflow_call:
secrets:
CONVISO_API_KEY:
description: 'API Key for Conviso Platform'
required: true
jobs:
conviso:
runs-on: ubuntu-latest
container:
image: convisoappsec/convisoast:latest
env:
CONVISO_API_KEY: ${{secrets.CONVISO_API_KEY}}
steps:
- uses: actions/checkout@v6
- name: Create Security Gate Rules File
run: |
cat <<EOF > security-gate.yml
rules:
- from: any
severity:
critical:
maximum: 50
EOF
- name: Run AST
run: conviso ast run --vulnerability-auto-close
- name: Run Security Gate
run: conviso vulnerability assert-security-rules --rules-file 'security-gate.yml'
Troubleshootingβ
Enabling External Actions for GitHub Actionsβ
If you encounter issues running workflows that rely on external actions, such as actions/checkout, ensure that your account or repository's settings allow the use of external actions.
More information here.
Supportβ
If you have any questions or need help using our product, please don't hesitate to contact our support team.
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.