GitHub CI Integration
The action is located at https://github.com/sec3dev/pro-action
1. Setup integration
First, find the secret token on the dashboard under the “Account -> Security” section.
After acquiring the token, navigate to your GitHub repository, click Settings -> Secrets -> Actions -> New Repository Secret, name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.
Next, add a workflow (.github/workflows/sec3.yml):
Warning: DO NOT explicitly include your token in the workflow.
A full sample sec3.yml file can be found here. The following shows a snapshot of the GitHub action result:
The detailed audit report can be viewed by following the link (with authentication).
If you would like to hide the detailed report link, add a hide-report-link
boolean variable in the .yml file. Example:
If you would like to scan a certain program in the repo, add a path
variable specifying the path of an individual program. Example:
2. Code scanning alerts integration
Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif
, which can be integrated with other jobs such as Code scanning alerts on GitHub:
Note: to enable this feature for private repos, GitHub requires an organization account and a GitHub Advanced Security license.
The configuration has two steps:
(1) Set up code scanning (follow GitHub’s docs)
(2) add a workflow (.github/workflows/sec3-alerts.yml):
A full sample sec3-alerts.yml file can be found here.
The screenshot above shows a detected missing signer check issue in Code scanning alerts.
Last updated