GitHub CI Integration
Last updated
Last updated
First, find the sec3 secret token on the dashboard under “Account -> Security” section.
After acquiring the token, navigate to your GitHub repository. Click through Settings -> Secrets and variables -> Actions -> New Repository Secret to add a new action secret. Name the secret as SEC3_TOKEN in the Name field, paste the token value in the Secret field and click Add secret.
Warning: DO NOT explicitly include your token in the workflow.
The detailed audit report can be viewed by following the link (with authentication).
If you would like to hide the detailed report link, add a hide-report-link
boolean variable in the .yml file. Example:
If you would like to scan a certain program in the repo, add a path
variable specifying the path of an individual program. Example:
Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif
, which can be integrated with other jobs such as Code scanning alerts on GitHub:
The configuration has two steps:
The screenshot above shows a detected missing signer check issue in Code scanning alerts.
A full sample sec3.yml file can be found . The following shows a snapshot of the GitHub action result:
Note: to enable this feature for private repos, GitHub requires an organization account and a license.
A full sample sec3-alerts.yml file can be found .