Skip to content
whitesource

GitHub Action

GP Security Scan

19.10.2 Latest version

GP Security Scan

whitesource

GP Security Scan

Scan packages and Docker images uploaded to GitHub Packages

Installation

Copy and paste the following snippet into your .yml file.

              

- name: GP Security Scan

uses: whitesource/[email protected]

Learn more about this action in whitesource/GitHubPackagesSecurityAction

Choose a version

Whitesource GP Security Action

This action is designed to run as part of the workflow registry_package triggered event.

It scans the published/updated Docker image in GP and reports back with found security vulnerabilities and license information.

Usage

See action.yml

Input Parameters

gp-token: GitHub personal access token with read/write privileges to GP. This parameter must be a repository secret. Required parameter.

ws-destination-url: WhiteSource environment destination url. Required parameter.

ws-api-key: WhiteSource organization api key. This parameter must be a repository secret. Required parameter.

ws-user-key: WhiteSource user key. This parameter must be a repository secret. Required parameter.

ws-product-key: WhiteSource product key to publish results to. This parameter must be a repository secret. If not specified - a default product will be created.

print-scan-report: Whether to print the results report as part opf the action's log. Default is false.

actions_step_debug: Whether to print debug logs. Default is false.

Output Parameters

scan-report-file-path: Path of the scan report file.

scan-report-folder-path: Path of the folder of the scan report file.

Workflow Examples

The recommended way to add this action to your workflow, is with a subsequent action that uploads the report json as an artifact. For example:

on: registry_package
name: WORKFLOW_NAME
jobs:
  gpSecurityJob:
    name: GP Security Check Job
    runs-on: ubuntu-latest
    steps:
      - name: GP Security Check Step
        id: gp-security-check
        uses: whitesource/[email protected]
        with:
          gp-token: ${{ secrets.GP_ACCESS_TOKEN }}
          ws-api-key: ${{ secrets.WS_API_KEY }}
          ws-user-key: ${{ secrets.WS_USER_KEY }}
          ws-product-key: ${{ secrets.WS_PRODUCT_KEY }}
          ws-destination-url: https://saas.whitesourcesoftware.com/agent
      - name: Upload Report
        uses: actions/upload-artifact@master
        with:
          name: security-scan-log
          path: ${{ steps.gp-security-check.outputs.scan-report-folder-path }}

Another option is to print the scan report to the step's log, without uploading it as an artifact:

on: registry_package
name: WORKFLOW_NAME
jobs:
  gpSecurityJob:
    name: GP Security Check Job
    runs-on: ubuntu-latest
    steps:
      - name: GP Security Check Step
        id: gp-security-check
        uses: whitesource/[email protected]
        with:
          gp-token: ${{ secrets.GP_ACCESS_TOKEN }}
          ws-api-key: ${{ secrets.WS_API_KEY }}
          ws-user-key: ${{ secrets.WS_USER_KEY }}
          ws-product-key: ${{ secrets.WS_PRODUCT_KEY }}
          ws-destination-url: https://saas.whitesourcesoftware.com/agent
          print-scan-report: true

Scan Report File

The output is a report in json format, which includes information on vulnerabilities, license, top fixes and inventory details. For example:

{
  "projectVitals": {
    "productName": "demo product",
    "name": "demo project",
    "token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  },
  "libraries": [
    {
      "keyUuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "keyId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "type": "REDHAT_PACKAGE_MODULE",
      "languages": "RPM",
      "references": {
        "url": "http://mirror.centos.org/centos/7/os/x86_64/Packages/sqlite-3.7.17-8.el7.x86_64.rpm",
        "homePage": "http://www.sqlite.org/"
      },
      "outdated": true,
      "sha1": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "name": "sqlite.rpm",
      "artifactId": "sqlite.rpm",
      "version": "3.7.17-8.el7",
      "groupId": "sqlite",
      "licenses": [
        {
          "name": "Public Domain",
          "url": "http://creativecommons.org/licenses/publicdomain/",
          "profileInfo": {
            "copyrightRiskScore": "ONE",
            "patentRiskScore": "THREE",
            "copyleft": "NO",
            "linking": "NON_VIRAL",
            "royaltyFree": "NO"
          },
          "referenceType": "RPM (details available in package spec file)",
          "reference": "packageName\u003dsqlite\u0026url\u003dhttp://mirror.centos.org/centos/7/os/x86_64/Packages/sqlite-3.7.17-8.el7.x86_64.rpm"
        }
      ],
      "vulnerabilities": [
        {
          "name": "CVE-2018-8740",
          "type": "CVE",
          "severity": "MEDIUM",
          "score": 5.0,
          "cvss3_severity": "HIGH",
          "cvss3_score": 7.5,
          "scoreMetadataVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "publishDate": "2018-03-17",
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name\u003dCVE-2018-8740",
          "description": "In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c.",
          "allFixes": [],
          "references": []
        }
      ]
    }
  ]
}

License

The scripts and documentation in this project are released under the Apache 2.0 license.