GitHub CI Integration

The action is located at https://github.com/sec3dev/pro-action

1. Setup integration

First, find the secret token on the dashboard under the “Account -> Security” section.

After acquiring the token, navigate to your GitHub repository, click Settings -> Secrets -> Actions -> New Repository Secret, name the token as SEC3_TOKEN in the Name field, paste the token in the Value field and click Add secret.

Next, add a workflow (.github/workflows/sec3.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: false    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}

Warning: DO NOT explicitly include your token in the workflow.

A full sample sec3.yml file can be found here. The following shows a snapshot of the GitHub action result:

The detailed audit report can be viewed by following the link (with authentication).

If you would like to hide the detailed report link, add a hide-report-link boolean variable in the .yml file. Example: 

- name: Sec3 Pro Audit
  continue-on-error: false    # set to true if you don't want to fail jobs
  uses: sec3dev/pro-action@v1
  with:
    sec3-token: ${{ secrets.SEC3_TOKEN }}
    hide-report-link: true

If you would like to scan a certain program in the repo, add a path variable specifying the path of an individual program. Example:

- name: Sec3 Pro Audit
  continue-on-error: false    # set to true if you don't want to fail jobs
  uses: sec3dev/pro-action@v1
  with:
    sec3-token: ${{ secrets.SEC3_TOKEN }}
    path: one-program

2. Code scanning alerts integration

Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif, which can be integrated with other jobs such as Code scanning alerts on GitHub:

Note: to enable this feature for private repos, GitHub requires an organization account and a GitHub Advanced Security license.

The configuration has two steps:

(1) Set up code scanning (follow GitHub’s docs)

(2) add a workflow (.github/workflows/sec3-alerts.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: true    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}
      - name: Upload Sarif Report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sec3-report.sarif

A full sample sec3-alerts.yml file can be found here.

The screenshot above shows a detected missing signer check issue in Code scanning alerts.

‍‍

PreviousQuick StartNextTeam Support

Last updated