First time using Github Actions? Please refer to the following documentation.
This integration uses the CLI for all communication with AppSec Flow.
By the end of this tutorial you will know how to:
- Run a SAST scan
- Run a SCA scan
- Send diff code to Flow's Codereview Security module.
- A Github account
- All runners hosted by Github are compatible, but if you are using self-hosted runners they need to have Docker installed in order to work.
- FLOW_API_KEY: This is the API key to communicate with AppSec Flow
- FLOW_PROJECT_CODE: This is the ID of the application in AppSec Flow
- When using Github Enterprise Server it need to be run version 3.0 or later
If you don't have a pipeline configured, you need to access Actions tab in your repository. It will show a variety of different compatibles options for your project.
For this integration choose set up a workflow yourself. You will be redirected to a text editor page
.github/workflows/main.yml where you are going to configure it using the following information in this tutorial.
The following code snippet will trigger a SAST scan and send the results to Flow.
The following code snippet will trigger a SCA scan and send the results to Flow.
The following code snippet will send diff code to Flow's security Codereview module so you can perform a continuous codereview assessment. There are three approaches depending on how you work with your project. In a nutshell:
- Using Tags, ordered by time
- Using Tags, ordered by versioning style (semantic version)
- Without using Tags, ordered by Git tree