Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
aikidosec

GitHub Action

Aikido Security Github Action

v1.0.9

Aikido Security Github Action

aikidosec

Aikido Security Github Action

This action triggers a scan in Aikido. It will throw an error if any new critical issues were found

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Aikido Security Github Action

              
  uses: AikidoSec/[email protected]
Learn more about this action in AikidoSec/github-actions-workflow

Choose a version

Aikido Security Github action

This repository contains an application that can be used in Github action workflows. It will trigger a scan in Aikido to make sure no new critical issues are introduced into your application. The free tier plan allows for scanning on dependencies. Other features such as blocking on SAST or license findings are part of the paid plan.

Using the action

This is an example workflow you could use to trigger a scan for each new pull request

name: Aikido Security
on:
  pull_request:
    branches:
      - '*'

jobs:
  aikido-security:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Detect new vulnerabilities
        uses: AikidoSec/[email protected]
        with:
            secret-key: ${{ secrets.AIKIDO_SECRET_KEY }}
            fail-on-timeout: true
            fail-on-dependency-scan: true
            fail-on-sast-scan: false
            fail-on-iac-scan: false
            minimum-severity: 'CRITICAL'
            timeout-seconds: 180
            post-scan-status-comment: false
            github-token: ${{ secrets.GITHUB_TOKEN }}

The action has 3 possible outcomes:

  • SUCCEEDED: the scan was completed successfully and we did not encounter any new critical issues
  • FAILED: the scan was completed successfully, but we found new critical issues
  • TIMED_OUT: the scan did not complete before the set timeout. In this case we won't let the action fail, but we do return this special case to not block your pipeline.

Required fields:

  • secret-key: The secret key generated at CI integrations settings.
  • minimum-severity: Determines on which (minimum) severity Aikido should respond with FAILED. This value can be one of LOW, MEDIUM, HIGH, CRITICAL.

Optional fields:

  • fail-on-timeout: Determines wether the workflow should respond with FAILED in case the scans timed out after 2 minutes.
  • fail-on-dependency-scan: Determines wether Aikido should block on new dependency issues (CVEs).
  • fail-on-sast-scan: Determines wether Aikido should block on new SAST issues. This is available in all paid plans.
  • fail-on-iac-scan: Determines wether Aikido should block on new Infrastructure as Code issues. This is available in all paid plans.
  • post-scan-status-comment: Let Aikido post a comment on the PR (when in PR context) with the latest scan status and a link to the scan results.
  • github-token: Must be set only if you want Aikido to post a comment on the PR. If the default ${{ secrets.GITHUB_TOKEN }} environment token does not have write capabilities, Aikido needs a PAT with specific permissions to read and write comments in a PR.

Contributing

Install the dependencies

$ npm install

When the changes have been implemented, you need to build and package the code for release. Run the following commands and commit it to the repository.

$ npm run build && npm run package

Change action.yml

The action.yml defines the inputs and output of our action.

See the documentation

Creating a new release

To update the app, you will need to update the app's bundle. First run

npm run build

Followed by:

npm run package

The contents of the dist folder should now be altered, commit these changes and merge them into the main branch.

Next, create a release on Github by clicking on tags and then releases. Then you can draft and release a new version.