Github Actions

note

First time using Github Actions? Please refer to the following documentation.

Introduction#

This integration uses the CLI for all communication with AppSec Flow.
By the end of this tutorial you will know how to:

Run a SAST scan
Run a SCA scan
Send diff code to Flow's Codereview Security module.

Requirements#

A Github account
All runners hosted by Github are compatible, but if you are using self-hosted runners they need to have Docker installed in order to work.
FLOW_API_KEY: This is the API key to communicate with AppSec Flow
FLOW_PROJECT_CODE: This is the ID of the application in AppSec Flow
When using Github Enterprise Server it need to be run version 3.0 or later

Creating your pipeline#

If you don't have a pipeline configured, you need to access Actions tab in your repository. It will show a variety of different compatibles options for your project.
For this integration choose set up a workflow yourself. You will be redirected to a text editor page .github/workflows/main.yml where you are going to configure it using the following information in this tutorial.

SAST#

The following code snippet will trigger a SAST scan and send the results to Flow.

name: CI
on:
 push:
   branches: [ master ]
 pull_request:
   branches: [ master ]

jobs:
 conviso-sast:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/flowcli
     env:
       FLOW_API_KEY:  ${{secrets.FLOW_API_KEY}}
       FLOW_PROJECT_CODE: "<project code>"
   steps:
   - uses: actions/checkout@v2

   - name: Run SAST
     run: flow sast run

SCA#

The following code snippet will trigger a SCA scan and send the results to Flow.

name: CI
on:
 push:
   branches: [ master ]
 pull_request:
   branches: [ master ]

jobs:
 conviso-sca:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/flowcli
     env:
       FLOW_API_KEY:  ${{secrets.FLOW_API_KEY}}
       FLOW_PROJECT_CODE: "<project code>"
   steps:
   - uses: actions/checkout@v2

   - name: Run SCA
     run: flow sca run

Continuous Codereview#

The following code snippet will send diff code to Flow's security Codereview module so you can perform a continuous codereview assessment. There are three approaches depending on how you work with your project. In a nutshell:

Using Tags, ordered by time
Using Tags, ordered by versioning style (semantic version)
Without using Tags, ordered by Git tree

name: CI
on:
 push:
   branches: [ master ]
 pull_request:
   branches: [ master ]

jobs:
 conviso-cr:
   runs-on: ubuntu-latest
   container:
     image: convisoappsec/flowcli
     env:
       FLOW_API_KEY:  ${{secrets.FLOW_API_KEY}}
       FLOW_PROJECT_CODE: "<project code>"
   steps:
    - uses: actions/checkout@v2

    - name: codereview
      #Please use only one of the following approaches in the same job

      #Using Tags, ordered by time
      run: flow deploy create with tag-tracker sort-by time
      #Using Tags, ordered by versioning style (semantic version)
      run: flow deploy create with tag-tracker sort-by versioning-style
      #Without using Tags, ordered by Git tree
      run: flow deploy create with values