OtherGitHub WorkflowsCode Risk Identification

Code Risk Identification

This workflow identifies potential security vulnerabilities in your codebase. It requires a sarif file as input to analyze and ensure that all code is secure and up to date.

The code-risk-identification accepts the following inputs:

NameDescriptionRequiredDefault Value
api-urlURL of the DevGuard APINohttps://api.main.devguard.org
asset-nameName of the asset to be scannedYes
sarif-filePath to the sarif file to be scannedYessbom.json
sarif-artifact-nameName of the SBOM artifact to be downloadedNo''

Usage Examples:

if you have the sarif in the repository:

on:
    push
 
jobs:
    devguard-code-risk-identification:
        uses: l3montree-dev/devguard-action/.github/workflows/code-risk-identification.yml@main
        with:
          api-url: https://api.main.devguard.org
          asset-name: 'myOrgnaization/projects/myProject/assets/myAsset'
          sbom-file: "./sbom.json" 
        secrets:
          devguard-token: ${{ secrets.DEVGUARD_TOKEN }}    

if you have the sarif in an artifact from a previous job, you need to upload the artifact first:

name: DevGuard Workflow
 
on:
    push
jobs:
    secret-scanning:
      runs-on: ubuntu-latest
      steps:
        - name: Checkout code
          uses: actions/checkout@v4
          with:
            submodules: recursive
            fetch-depth: 0
            persist-credentials: false
        - name: Run Gitleaks Scan
          run: |
            docker run --rm -v $(pwd):/code zricethezav/gitleaks:v8.22.0 git /code  --report-path /code/gitleaks.sarif.json --report-format sarif
          continue-on-error: true  
 
        - name: Upload Gitleaks Report
          uses: actions/upload-artifact@v4
          with:
            name: gitleaks-report
            path: gitleaks.sarif.json
 
    code-risk-identification:
        needs: secret-scanning
        uses: l3montree-dev/devguard-action/.github/workflows/code-risk-identification.yml@feautre/sarif-sbom-upload-actions
        with:
          api-url: https://api.main.devguard.org
          asset-name: 'myOrgnaization/projects/myProject/assets/myAsset'
          sarif-artifact-name: gitleaks-report
          sarif-file: gitleaks.sarif.json
        secrets:
          devguard-token: ${{ secrets.DEVGUARD_TOKEN }}