GitHub Action
SecureStack Web Vulnerability Analysis
v0.1.3
Latest version
A GitHub Action that analyses your web application for security and availability issues. When you add this to GitHub Actions we will analyze your web app everytime you deploy to a public endpoint and let you know if what you've just deployed is secure and meets your requirements. See below for what types of issues this action scans for.
name: Example Workflow Using SecureStack Web Vulnerability Exposure Action
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Web Vulnerability Exposure Analysis Step
id: exposure
uses: SecureStackCo/[email protected]
with:
securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
severity: critical
flags: '--dom -r'
NOTE - to understand possible values for the action input flags
, run the SecureStack cli locally:
$ bloodhound-cli recon --help
- Create a SecureStack account using your GitHub credentials. You get 20 scans for free and you don't need to add a credit card.
- Once you are logged in go to "Profile" in the black drawer on the left, and then -> GENERATE KEY tab.
- Generate an API key and copy the value.
- Go to Settings for your GitHub repository and click on Secrets -> Actions at the bottom left.
- Create a new secret named SECURESTACK_API_KEY and paste the value from step 2 into the field.
- Log in to SecureStack.
- Open the application you wish to analyse. If you haven't created a managed application you can follow the directions in this VIDEO to create one.
- Copy the value of the application id on the View Application screen.
- Go to Settings for your GitHub repository and click on Secrets -> Actions at the bottom left.
- Create a new secret named SECURESTACK_APP_ID and paste the value from step 3 into the field.
- Scans web application for out of date and vulnerable application components
- Identifies whether basic security controls like WAF, firewalls, and security headers are being used
- Finds all public facing assets & helps you understand your application attack surface
- Identifies misconfigurations in existing WAF or CDN
- Identifies if app is using CSP or security headers and whether they're working
- Finds WAF bypass attacks for Akamai, Cloudflare & Imperva
- SecureStack Secrets Analysis - Scan your application for embedded api keys, credentials and senstive data.
- SecureStack Software Composition Analysis (SCA) - Scan your application for vulnerable third-party and open source libraries.
- SecureStack Log4j Analysis - Scan your application for Log4j/Log4Shell vulnerabilities.
https://www.youtube.com/watch?v=YrPITQNy9UM&list=PL_8Xjyi5rInxzhpQkDRipipmaj0lT6pJ8
Made with 💜 by SecureStack