active-scan-action/action.yml at master · nonamesec/active-scan-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: "Active Scan"
description: "Run Noname Active CLI scan against the current repository"
author: "Noname Security"
inputs:
  ACTIVE_REGISTRY_URL:
    description: "Active Docker registry URL"
    required: true
  ACTIVE_REGISTRY_USER:
    description: "Active Docker registry username"
    required: true
  ACTIVE_REGISTRY_PASSWORD:
    description: "Active Docker registry password / JSON key (use a secret)"
    required: true
  ACTIVE_API_URL:
    description: "Active API URL (e.g. https://mimic-clean-14323.nonamesec.com/active)"
    required: true
  ACTIVE_API_TOKEN:
    description: "Active API token (JWT) – pass via secret"
    required: true
  ACTIVE_BACKEND_URI:
    description: "Active backend URI"
    required: true
  TEST_GROUP_ID:
    description: "Test group ID"
    required: true
  BRANCH_NAME:
    description: "Branch name"
    required: true
    default: "${{ github.ref_name }}"
  ENV_ID:
    description: "Environment ID (string)"
    required: true
    default: ""
  VERBOSE:
    description: "Enable verbose output"
    required: false
    default: "false"
  ANALYZE:
    description: "Enable analyze mode"
    required: false
    default: "false"
  ACTIVE_SEVERITY_THRESHOLD:
    description: "Severity threshold (e.g. HIGH, MEDIUM)"
    required: false
    default: ""
  ACTIVE_ISSUE_THRESHOLD:
    description: "Issue threshold (string)"
    required: false
    default: ""
  CATEGORY_THRESHOLD:
    description: "Category threshold (string)"
    required: false
    default: ""
  ACTIVE_RATE_LIMIT:
    description: "Concurrency level (number)"
    required: false
    default: ""
  ACTIVE_SCAN_TIMEOUT:
    description: "Timeout in seconds (number)"
    required: false
    default: ""
  ACTIVE_SCANNER_PROXY:
    description: "HTTP proxy URL"
    required: false
    default: ""
  ACTIVE_BACKEND_PROXY:
    description: "Backend HTTP proxy URL"
    required: false
    default: ""

runs:
  using: "composite"
  steps:
    - name: Log versions / debug
      shell: bash
      run: |
        echo "Running Active scan..."
        echo "Repository: $GITHUB_REPOSITORY"
        echo "Branch / ref: $GITHUB_REF_NAME"

    - name: Docker login to Active registry
      shell: bash
      run: |
        set -euo pipefail
        docker login "${{ inputs.ACTIVE_REGISTRY_URL }}" \
          -u "${{ inputs.ACTIVE_REGISTRY_USER }}" \
          -p "${{ inputs.ACTIVE_REGISTRY_PASSWORD }}"

    - name: Run Active CLI scan
      shell: bash
      run: |
        set -eo pipefail

        # Fetch CLI image version from Active API
        VERSION=$(curl -ks "${{ inputs.ACTIVE_API_URL }}/backend/version")
        echo "Using active-cli image tag: $VERSION"

        docker run \
          --network=host \
          -e ACTIVE_BACKEND_URI="${{ inputs.ACTIVE_BACKEND_URI }}" \
          $(if [[ -n "${{ inputs.ACTIVE_BACKEND_PROXY }}" ]]; then \
            if [[ "${{ inputs.ACTIVE_BACKEND_PROXY }}" == http:* ]]; then \
              echo "-e ACTIVE_REMOTE_WORKER_HTTP_PROXY='${{ inputs.ACTIVE_BACKEND_PROXY }}'"; \
            else \
              echo "-e ACTIVE_REMOTE_WORKER_HTTPS_PROXY='${{ inputs.ACTIVE_BACKEND_PROXY }}'"; \
            fi; \
          fi) \
          -v "$GITHUB_WORKSPACE/akamai:/akamai" \
          "${{ inputs.ACTIVE_REGISTRY_URL }}/active-cli:${VERSION}" \
          scan \
          --api-url="${{ inputs.ACTIVE_API_URL }}" \
          --api-token="${{ inputs.ACTIVE_API_TOKEN }}" \
          --test-group-id="${{ inputs.TEST_GROUP_ID }}" \
          --env-id="${{ inputs.ENV_ID }}" \
          --branch-name="${{ inputs.BRANCH_NAME }}" \
          $([[ "${{ inputs.VERBOSE }}" == "true" ]] && echo "--verbose") \
          $([[ "${{ inputs.ANALYZE }}" == "true" ]] && echo "--analyze") \
          $([[ -n "${{ inputs.ACTIVE_SEVERITY_THRESHOLD }}" ]] && echo "--severity-threshold=${{ inputs.ACTIVE_SEVERITY_THRESHOLD }}") \
          $([[ -n "${{ inputs.ACTIVE_ISSUE_THRESHOLD }}" ]] && echo "--issue-threshold=${{ inputs.ACTIVE_ISSUE_THRESHOLD }}") \
          $([[ -n "${{ inputs.CATEGORY_THRESHOLD }}" ]] && echo "--category-threshold=${{ inputs.CATEGORY_THRESHOLD }}") \
          $([[ -n "${{ inputs.ACTIVE_RATE_LIMIT }}" ]] && echo "--concurrency=${{ inputs.ACTIVE_RATE_LIMIT }}") \
          $([[ -n "${{ inputs.ACTIVE_SCAN_TIMEOUT }}" ]] && echo "--timeout=${{ inputs.ACTIVE_SCAN_TIMEOUT }}") \
          $([[ -n "${{ inputs.ACTIVE_SCANNER_PROXY }}" ]] && echo "--proxy=${{ inputs.ACTIVE_SCANNER_PROXY }}")