You can trigger a scan on the Strobes platform from your Github Actions workflow. You can initiate both SAST and DAST scans.
Head over to the Github Marketplace and search for 'Strobes'. The search will return two results 'Strobes API Scan' and 'Triangulum CLI Scan'. We will be focusing on the 'Strobes API Scan' in this article.
Click on 'Strobes API Scan' and click on 'Use latest version'. You will be provided with a snippet which you will have to include into your .yml file.
This configuration will allow you to make calls to the 'Strobes API' which will then invoke scans in your Strobes Organization. Once the scans are done the vulnerabilities are populated against the 'Asset' which you have selected to run a scan against. There are two parts to triggering a scan through github actions. They are as follows:
- The first part is to create a workflow configuration within Strobes.
- The second part is to add the mentioned snippet in your .yml file on your Github repo.
For the sake of demonstration we will be configuring and running a bandit scan against the code of DVPWA.
Creating a Bandit Workflow Configuration on Strobes
- Navigate to 'Connectors', click on 'Static Security Scanners' and select 'Bandit from PyCQA'.
- Enter a 'Configuration Name'. This name will be used while triggering a scan from Github Actions.
- Now select a Version Control System which manages your code.
- In this case we are selecting the 'Git Configuration' which we have preconfigured. More on how to create a Git configuration here.
- Now select the 'Asset' against you want your scan results to get populated and select the agent as 'Default Strobes Agent'.
- Select any 'Notification or Tracking' configurations which you have added and click on 'Submit'.
- A Bandit workflow within Strobes will be created for you.
Triggering a Scan Using Github Actions
- In your 'Github Repo' click on 'Actions' and click on 'Set up a workflow yourself' if you don't already have a workflow.
- Now a .yml file will be generated for you.
- Under your 'Steps' you will have to add the snippet which you have obtained from here.
- To trigger a Scan on Strobes five 'Input Parameters' are required and these input parameters will be defined under the 'with' key. The five input parameters are as follows:
- 'strobes_url' : This is the Strobes URL of your organization.
- 'auth_token' : This is your 'Strobes API Key'. More on how to get your API key here.
- 'target' : This is the 'Branch' on which you wish to run the Bandit Scanner after the code has been pushed.
- 'config_name' : This is the 'Configuration Name' which you have given while creating the 'Bandit Workflow'.
- 'rules' : You can input the number of issues identified at which you want your build to fail. The way you input rules is as follows:
- Critical : If you want the build to fail after a certain number of critical issues have been identified then you give the number followed by the letter 'c'. For example for two critical issues you give the input '2c'.
- High : If you want the build to fail after a certain number of high issues have been identified then you give the number followed by the letter 'h'. For example for two high issues you give the input '2h'
- Medium : If you want the build to fail after a certain number of medium issues have been identified then you give the number followed by the letter 'm'. For example for two medium issues you give the input '2m'
- Low : If you want the build to fail after a certain number of low issues have been identified then you give the number followed by the letter 'l'. For example for two low issues you give the input '2l'
- You can also give a combination of rules. The different rules are separated by commas. For example 2c,2h,2m.
A sample snippet in the .yml file looks like the following:
- name: Strobes API Scan
config_name: Strobes Actions
Note: Instead of adding your 'auth_token' in plaintext, it is recommended to use 'Github Secrets'. More about how to add secrets here.
Now whenever you commit any code to the branch which you have selected, the bandit scan will get invoked on your repo as shown below.
A 'Task' will also be created on Strobes. More about tasks here.
In this case under 'rules' we have given the input as '2c'. So if the results of the scan contained two critical issues the build would have failed. Our code did not have 2 critical issues hence it has passed. The issues identified during the scan will get populated on Strobes.