技术文档 | 将OpenSCA接入GitHub Action,从软件供应链入口控制风险面
繼Jenkins和Gitlab CI之后,GitHub Action的集成也安排上啦~
若您解鎖了其他OpenSCA的用法,也歡迎向項(xiàng)目組來(lái)稿,將經(jīng)驗(yàn)分享給社區(qū)的小伙伴們~
參數(shù)說(shuō)明
| 參數(shù) | 是否必須 | 描述 |
|---|---|---|
| token | ? | OpenSCA云漏洞庫(kù)服務(wù)token,可在OpenSCA官網(wǎng)獲得 |
| proj | ? | 用于同步檢測(cè)結(jié)果至OpenSCA SaaS指定項(xiàng)目 |
| need-artifact | ? | "是否上傳日志/結(jié)果文件至workflow run(默認(rèn):否) |
| out | ? | 指定上傳的結(jié)果文件格式(文件間使用“,”分隔;僅outputs目錄下的結(jié)果文件會(huì)被上傳) |
使用樣例
workflow 示例
on:
push:
branches:
- master
- main
pull_request:
branches:
- master
- main
jobs:
opensca-scan:
runs-on: ubuntu-latest
name: OpenSCA Scan
steps:
- name: Checkout your code
uses: actions/checkout@v4
- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
*需要先基于OpenSCA云漏洞庫(kù)服務(wù)token創(chuàng)建秘鑰,詳細(xì)信息請(qǐng)見(jiàn)https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#about-secrets
掃描結(jié)束后,可在倉(cāng)庫(kù)的Security/Code scanning里找到結(jié)果
也可直接跳轉(zhuǎn)至OpenSCA SaaS查看更多詳細(xì)信息;跳轉(zhuǎn)鏈接可在Action日志中找到
更多場(chǎng)景
同步檢測(cè)結(jié)果至OpenSCA SaaS指定項(xiàng)目
使用proj參數(shù)將檢測(cè)任務(wù)綁定至指定項(xiàng)目下;ProjectID可在SaaS平臺(tái)獲取
- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
proj: ${{ secrets.OPENSCA_PROJECT_ID }}
保留日志用于問(wèn)題排查
- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
need-artifact: "true"
上傳日志及檢測(cè)報(bào)告至workflow run
- name: Run OpenSCA Scan
uses: XmirrorSecurity/opensca-scan-action@v1
with:
token: ${{ secrets.OPENSCA_TOKEN }}
out: "outputs/result.json,outputs/result.html"
need-artifact: "true"
*僅outputs目錄下的結(jié)果文件會(huì)被上傳
常見(jiàn)問(wèn)題
Permission denied
若遇permission denied報(bào)錯(cuò),可前往Settings -> Actions -> General,在Workflow permissions里選中 "Read and write permissions"并保存
找不到artifact?
在workflow summary頁(yè)面底部區(qū)域,截圖示意如下:
如有其他問(wèn)題或反饋,歡迎向我們提交ISSUE~
https://github.com/XmirrorSecurity/opensca-scan-action
總結(jié)
以上是生活随笔為你收集整理的技术文档 | 将OpenSCA接入GitHub Action,从软件供应链入口控制风险面的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: JavaScript到底应不应该加分号?
- 下一篇: django的简单学习