GitHub Actions
note
First time using GitHub Actions? Please refer to the following documentation.
#
IntroductionThis integration uses the CLI for all communication with Conviso Platform.
By the end of this tutorial you will know how to:
- Run an SAST scan
- Run an SCA scan
- Send diff code to Conviso Platform Code Review Security module.
#
Requirements- A GitHub account
- All runners hosted by GitHub are compatible, but if you are using self-hosted runners they need to have Docker installed in order to work.
- FLOW_API_KEY: This is the API key to communicate with Conviso Platform
- FLOW_PROJECT_CODE: This is the ID of the application in Conviso Platform
- When using GitHub Enterprise Server it needs to be run version 3.0 or later
#
Creating your pipelineIf you don't have a pipeline configured, you need to access Actions tab in your repository. It will show a variety of different compatibles options for your project.
For this integration choose set up a workflow yourself. You will be redirected to a text editor page .github/workflows/main.yml
where you are going to configure it using the following information in this tutorial.
#
SASTThe following code snippet will trigger a SAST scan and send the results to Conviso Platform.
#
SCAThe following code snippet will trigger an SCA scan and send the results to Conviso Platform.
#
Continuous Code ReviewThe following code snippet will send diff code to Conviso Platform security Code Review module, so you can perform a continuous code review assessment. There are three approaches depending on how you work with your project. In a nutshell:
- Using Tags, ordered by time
- Using Tags, ordered by versioning style (semantic version)
- Without using Tags, ordered by Git tree