Use this action to scan a public GitHub repository with the GitHub Advanced Security tool. GitHub Advanced Security can detect security vulnerabilities and coding errors in your code.
|
Note
|
Scanning of private GitHub repositories is not supported. |
A Personal Access Token (PAT) with read-only permission is required to read security alerts (which must be enabled) from the public repository. This token is used in the YAML file, which pushes the alerts to {PRODUCT}.
Refer to the following GitHub documentation for information on enabling these alerts for your repository:
Refer to the following GitHub documentation for information on setting code scanning (CodeQL analysis) to default:
CloudBees requires a fine-grained GitHub PAT to read the security alerts from your repository.
To create a fine-grained PAT, refer to the GitHub documentation.
|
Note
|
CloudBees recommends the following configuration:
|
Use the fine-grained PAT in the YAML file to invoke the action.
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The GitHub client secret. |
|
String |
No |
The language of your Git repository code base. Refer to the supported languages below. |
|
String |
No |
The GitHub URL of the repository to be scanned. |
|
String |
No |
The branch in your repository to be scanned. |
| Supported language | Input format |
|---|---|
Go |
|
Java |
|
In your YAML file, add:
- name: Scan with GitHub Advanced Security
uses: cloudbees-io/github-security-sast-scan-code@v1
with:
token: ${{ secrets.GITHUB_SECRET }}
language: "LANGUAGE_JAVA"This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.