技术文档 | 将OpenSCA接入GitHub Action,从软件供应链入口控制风险面

继Jenkins和Gitlab CI之后,GitHub Action的集成也安排上啦~

若您解锁了其他OpenSCA的用法,也欢迎向项目组来稿,将经验分享给社区的小伙伴们~

参数说明

参数 是否必须 描述
token OpenSCA云漏洞库服务token,可在OpenSCA官网获得
proj 用于同步检测结果至OpenSCA SaaS指定项目
need-artifact "是否上传日志/结果文件至workflow run(默认:否)
out 指定上传的结果文件格式(文件间使用“,”分隔;仅outputs目录下的结果文件会被上传)

使用样例

workflow 示例

on:
  push:
    branches:
        - master
        - main
  pull_request:
    branches:
        - master
        - main

jobs:
  opensca-scan:
    runs-on: ubuntu-latest
    name: OpenSCA Scan
    steps:
      - name: Checkout your code
        uses: actions/checkout@v4
      - name: Run OpenSCA Scan
        uses: XmirrorSecurity/opensca-scan-action@v1
        with:
          token: ${{ secrets.OPENSCA_TOKEN }}

*需要先基于OpenSCA云漏洞库服务token创建秘钥,详细信息请见https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#about-secrets

扫描结束后,可在仓库的Security/Code scanning里找到结果

也可直接跳转至OpenSCA SaaS查看更多详细信息;跳转链接可在Action日志中找到

更多场景

同步检测结果至OpenSCA SaaS指定项目

使用proj参数将检测任务绑定至指定项目下;ProjectID可在SaaS平台获取

- name: Run OpenSCA Scan
  uses: XmirrorSecurity/opensca-scan-action@v1
  with:
    token: ${{ secrets.OPENSCA_TOKEN }}
    proj: ${{ secrets.OPENSCA_PROJECT_ID }}

保留日志用于问题排查

- name: Run OpenSCA Scan
  uses: XmirrorSecurity/opensca-scan-action@v1
  with:
    token: ${{ secrets.OPENSCA_TOKEN }}
    need-artifact: "true"

上传日志及检测报告至workflow run

- name: Run OpenSCA Scan
  uses: XmirrorSecurity/opensca-scan-action@v1
  with:
    token: ${{ secrets.OPENSCA_TOKEN }}
    out: "outputs/result.json,outputs/result.html"
    need-artifact: "true"

*仅outputs目录下的结果文件会被上传

常见问题

Permission denied

若遇permission denied报错,可前往Settings -> Actions -> General,在Workflow permissions里选中 "Read and write permissions"并保存

找不到artifact?

在workflow summary页面底部区域,截图示意如下:

如有其他问题或反馈,欢迎向我们提交ISSUE~

https://github.com/XmirrorSecurity/opensca-scan-action

posted @ 2024-01-18 15:05  OpenSCA社区  阅读(64)  评论(0编辑  收藏  举报