SecureCodeWarrior/github-action-add-sarif-contextual-trainingPublic

NotificationsYou must be signed in to change notification settings
Fork7
Star22

GitHub Action for adding contextual training material to SARIF files

License

MIT license

22 stars 7 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Use this GitHub action with your project

Add this Action to an existing workflow or create a new one

View on Marketplace

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 89 Commits
.github		.github
.jest		.jest
dist		dist
fixtures		fixtures
referenceSearchers		referenceSearchers
sarifProcessors		sarifProcessors
test-resources		test-resources
.eslintignore		.eslintignore
.eslintrc.json		.eslintrc.json
.gitattributes		.gitattributes
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
action.yml		action.yml
clilauncher.js		clilauncher.js
clilauncher.test.js		clilauncher.test.js
directLinking.js		directLinking.js
index.js		index.js
jest.config.js		jest.config.js
languageResolver.js		languageResolver.js
languageResolver.test.js		languageResolver.test.js
logger.js		logger.js
package-lock.json		package-lock.json
package.json		package.json
runner.js		runner.js
sarifLoader.js		sarifLoader.js
sarifLoader.test.js		sarifLoader.test.js

Repository files navigation

GitHub Action

This GitHub Action adds Secure Code Warrior contextual application security training material to SARIF files. This training material will be displayed within Code Scanning alerts if the resulting SARIF file is imported using thegithub/codeql-action/upload-sarif Action, and includes links to secure coding exercises and short explainer videos where available.

This Action currently supports adding training material based on CWE references (e.g. CWE 89) and common vulnerability phrases (e.g. use-after-free vulnerability) included in static analysis findings.

Usage

Individual SARIF file

steps:# Fetch SARIF - for example:# - Checkout the repository using `actions/checkout` if the SARIF file is committed. This example assumes the SARIF file is located at `sarif/findings.sarif` within the repository.#     - name: Checkout repository#       uses: actions/checkout@v2# - Fetch the SARIF file from your SAST tool. The vendor may already have a GitHub Action for this. This example assumes the SARIF file is fetched and saved to `sarif/findings.sarif`.#     - name: Download SARIF#       uses: vendor/sast-tool-sarif@v1#       with:#         user: ${{ secrets.USER }}#         key: ${{ secrets.KEY }}#         scan-id: ${{ secrets.SCAN_ID }}#         output-file: sarif/findings.sarif# - Convert a SAST tool report into SARIF. The vendor may already have a GitHub Action or script for this. This example assumes the converted SARIF file is located at `sarif/findings.sarif`.#     - name: Convert report to SARIF#       uses: vendor/sast-tool-sarif-converter@v1#       with:#         report-file: reports/sast-scan.xml#         output-file: sarif/findings.sarif      -name:Add SCW Traininguses:SecureCodeWarrior/github-action-add-sarif-contextual-training@v1with:inputSarifFile:sarif/findings.sarifoutputSarifFile:sarif/findings.processed.sarifgithubToken:${{ secrets.GITHUB_TOKEN }}      -name:Import Resultsuses:github/codeql-action/upload-sarif@v3with:sarif_file:sarif/findings.processed.sarif

Multiple SARIF files using glob path

steps:# Fetch SARIF - see additional examples above      -name:Download SARIFuses:vendor/sast-tool-sarif@v1with:user:${{ secrets.USER }}key:${{ secrets.KEY }}scan-id:${{ secrets.SCAN_ID }}output-dir:./sarifs# in this example we assume the tool outputs multiple SARIF files as .json files      -name:Add SCW Traininguses:SecureCodeWarrior/github-action-add-sarif-contextual-training@v1with:inputSarifFile:./sarifs/*.jsonoutputSarifFile:./processed-sarifsgithubToken:${{ secrets.GITHUB_TOKEN }}      -name:Import Resultsuses:github/codeql-action/upload-sarif@v3with:sarif_file:./processed-sarifs

Multiple SARIF files in directory

steps:# Fetch SARIF - see additional examples above      -name:Download SARIFuses:vendor/sast-tool-sarif@v1with:user:${{ secrets.USER }}key:${{ secrets.KEY }}scan-id:${{ secrets.SCAN_ID }}output-dir:./sarifs# in this example we assume the tool outputs multiple SARIF files in nested directories within the specified output directory      -name:Add SCW Traininguses:SecureCodeWarrior/github-action-add-sarif-contextual-training@v1with:inputSarifFile:./sarifsoutputSarifFile:./processed-sarifsgithubToken:${{ secrets.GITHUB_TOKEN }}      -name:Import Resultsuses:github/codeql-action/upload-sarif@v3with:sarif_file:./processed-sarifs

Inputs

`inputSarifFile`

The SARIF file(s) to add Secure Code Warrior contextual training material to. This can be a path to a single file (e.g../findings.sarif), a glob path (e.g../scans/**/*.sarif) or a directory (d.g../scans), in which case all.sarif files recursively in the specified directory will be processed.Default value:./findings.sarif

`outputSarifFile`

The output path of the resulting SARIF file(s) with Secure Code Warrior contextual training material appended. If a glob path or a directory was provided as theinputSarifFile input then the resulting SARIF files will be output to the./processed-sarifs directory, which can then simply be the path provided in thesarif_file input of thegithub/codeql-action/upload-sarif action.Default value:./findings.processed.sarif

`githubToken` (optional)

Provide${{ secrets.GITHUB_TOKEN }} to use the GitHub access token automatically supplied by GitHub Workflows. This enables language-specific training links to be generated (where available) by fetching the repository language from the GitHub API.

About

GitHub Action for adding contextual training material to SARIF files

Releases20

Minor update Latest

Jul 31, 2024

+ 19 releases

Packages

No packages published

Contributors5

Languages

JavaScript100.0%

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

License

Folders and files

Latest commit

History

Repository files navigation

GitHub Action

Usage

Individual SARIF file

Multiple SARIF files using glob path

Multiple SARIF files in directory

Inputs

`inputSarifFile`

`outputSarifFile`

`githubToken` (optional)

About

Resources

License

Stars

Watchers

Forks

Releases20

Packages

Contributors5

Languages

Movatterモバイル変換

License

SecureCodeWarrior/github-action-add-sarif-contextual-training

Folders and files

Latest commit

History

Repository files navigation

GitHub Action

Usage

Individual SARIF file

Multiple SARIF files using glob path

Multiple SARIF files in directory

Inputs

inputSarifFile

outputSarifFile

githubToken (optional)

About

Resources

License

Stars

Watchers

Forks

Releases20

Packages0

Contributors5

Languages

`inputSarifFile`

`outputSarifFile`

`githubToken` (optional)

Packages