sec3 Documentation
  • sec3 X-ray
    • Quick Start
    • GitHub CI Integration
    • Team Support
    • Audit Certificate
  • sec3 WatchTower
    • Quick Start
    • Alert Destinations
    • Handle Alert via Webhook
    • Bots
Powered by GitBook
On this page
  • 1. Setup integration
  • 2. Code scanning alerts integration
  1. sec3 X-ray

GitHub CI Integration

PreviousQuick StartNextTeam Support

Last updated 6 months ago

The action is located at .

1. Setup integration

First, find the sec3 secret token on the dashboard under “Account -> Security” section.

After acquiring the token, navigate to your GitHub repository. Click through Settings -> Secrets and variables -> Actions -> New Repository Secret to add a new action secret. Name the secret as SEC3_TOKEN in the Name field, paste the token value in the Secret field and click Add secret.

Next, add a workflow (.github/workflows/sec3.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: false    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}

Warning: DO NOT explicitly include your token in the workflow.‍

The detailed audit report can be viewed by following the link (with authentication).

If you would like to hide the detailed report link, add a hide-report-link boolean variable in the .yml file. Example: 

- name: Sec3 Pro Audit
  continue-on-error: false    # set to true if you don't want to fail jobs
  uses: sec3dev/pro-action@v1
  with:
    sec3-token: ${{ secrets.SEC3_TOKEN }}
    hide-report-link: true

If you would like to scan a certain program in the repo, add a path variable specifying the path of an individual program. Example:

- name: Sec3 Pro Audit
  continue-on-error: false    # set to true if you don't want to fail jobs
  uses: sec3dev/pro-action@v1
  with:
    sec3-token: ${{ secrets.SEC3_TOKEN }}
    path: one-program

2. Code scanning alerts integration

Sec3 X-ray also saves in the workspace a report in SARIF format, named sec3-report.sarif, which can be integrated with other jobs such as Code scanning alerts on GitHub:

The configuration has two steps:

(2) add a workflow (.github/workflows/sec3-alerts.yml):

name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: true    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}
      - name: Upload Sarif Report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sec3-report.sarif

The screenshot above shows a detected missing signer check issue in Code scanning alerts.

‍‍

A full sample sec3.yml file can be found . The following shows a snapshot of the GitHub action result:

Note: to enable this feature for private repos, GitHub requires an organization account and a license.

(1) Set up code scanning (follow )

A full sample sec3-alerts.yml file can be found .

here
GitHub Advanced Security
GitHub’s docs
here
https://github.com/sec3dev/pro-action
Fig 1. Find sec3 token
Fig 2. Set up sec3 token on GitHub