Caution
Still in early developement. Use at your own risk. For more information see scatool.com
We are on a mission to make open-source software in products and projects safe, easy, and fun to use.
This is the GitHub-Action to interact with the SCA Tool API and start a scan of your repository automated with workflows. We only upload dependency files, that our Scanner & Analyzer can process. No application logic is uploaded.
To get started visit app.scatool.com, create a account and create a new project and Distribution Unit. Additionally create an API-Key in your Organizartions Setting, subsection 'API Key'. The API-Key as well as the Distribution Unit Id are needed, in order to correctly identify, to which Distribuiton Unit a Upload is created. For security reasons, we recommend adding the API-Key as a GitHub-Secret rather than writing your API-Key directly into the workflow, as it can lead to abuse if it is published.
If for some reason you publish your API-Key, you can invalidate the old one and create a new one on the same page, you created the old API-Key. Just make sure to Invalidate the correct one. Therefore use the name of the API-Key to identify the correct one.
For integrating the action in to your Worflow, you can copy below example. Just make sure to check out the repository before calling the SCA Tool Action.
The action performs the following steps:
- Get API URL and Excluded Paths: Retrieves the API URL and excluded paths from the action inputs.
- Check API Key Expiration: Ensures the API key is valid and not expired.
- Fetch File Types: Fetches the list of file types from the API.
- Find Files: Searches the repository for files matching the fetched file types, excluding specified paths.
- Check Upload: Verifies that the necessary files are present and not oversized before uploading.
- Upload Files: Sends the matched files to the controller.
- Link to Results: Either prints the link as text in the execution log, or with an added GitHub Token Secret, comments it to an Pull Request
The exclusion list should be files and paths relative to the baseDir of your repository.
- Example for folders:
node_modules/** - Example for file types:
Readme.mdor*.kt - Example for a specific file in a subfolder:
test/package.json
Add them to a String separated by a comma (",").
name: SCA Tool Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Run SCA Tool Scan
uses: scatool/[email protected]
with:
api_key: ${{ secrets.SCA_TOOL_API_KEY }}
project_id: 'aaaa-aaaa-aaaa-aaaa'
excluded_paths: 'node_modules/**, Readme.md, test/package.json'
github_token: ${{ secrets.GITHUB_TOKEN }}api_key: The API key for authenticating with the SCA Tool API.excluded_paths: Comma-separated list of paths to exclude from the scan.github_token: If you want the link to the results of the scan to be commented on a Pull Request, please add the GitHub Token. THis parameter is optional. Without it or in case of an error creating the comment, the link will still be printed in the console log of the action.
- Update the version number in
package.json. - run
npm run bundleto bundle the changes into the dist folder - Commit and push the changes.
- Create a new release on GitHub with the updated version number.
- Tag the release with the version number (e.g.,
v1.0.1).
To run formatting use: npx @biomejs/biome format --write
For running linter use: npx @biomejs/biome lint --write
If wanting to send the data to an alternative server, you can add an additional parameter to the action configuration:
api_url: The base URL of the SCA Tool API. This only needs to be adapted, for testing services