forked from mandiant/capa
-
Notifications
You must be signed in to change notification settings - Fork 2
63 lines (56 loc) · 2.7 KB
/
crunch42.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow locates REST API file contracts (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
# and runs 300+ security checks on them using 42Crunch Security Audit technology to uncover
# potential vulnerabilities related to authentication, authorization as well as data validation.
#
# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
#
# To use this workflow, you need a 42Crunch platform account. If you do not have one, you can contact us
# from this page: https://42crunch.com/request-demo.
#
# 1. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
# to create an API Token on the 42Crunch platform
#
# 2. Create an secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
# and store the 42Crunch API Token in that secret. Expected default is API_TOKEN (see the api-token property in the task).
#
# If you have any questions or need help, open an issue at: https://support.42crunch.com.
name: "42Crunch REST API Static Security Testing"
# follow standard Code Scanning triggers
on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
schedule:
- cron: '35 18 * * 3'
permissions:
contents: read
jobs:
rest-api-static-security-testing:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 42Crunch REST API Static Security Testing
uses: 42Crunch/api-security-audit-action@8f3291aee67d774baf12330d1bfe86af2c861a06
with:
# Please create free account at https://platform.42crunch.com/register
# Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
api-token: ${{ secrets.API_TOKEN }}
# Fail if any OpenAPI file scores lower than 75
min-score: 75
# Upload results to Github code scanning
upload-to-code-scanning: true
# Github token for uploading the results
github-token: ${{ github.token }}