From 499e38bc3ee1fea3ced5760aa8d1668e781b768e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 20:35:15 +0530 Subject: [PATCH 1/3] Added starter workflow to help you get started with APIsec-Scan Actions. --- code-scanning/apisec-scan.yml | 63 +++++++++++++++++++ .../properties/apisec-scan.properties.json | 24 +++++++ icons/apisec.svg | 17 +++++ 3 files changed, 104 insertions(+) create mode 100644 code-scanning/apisec-scan.yml create mode 100644 code-scanning/properties/apisec-scan.properties.json create mode 100644 icons/apisec.svg diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml new file mode 100644 index 0000000..55356ad --- /dev/null +++ b/code-scanning/apisec-scan.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger-APIsec-Scan: + runs-on: ubuntu-latest + + steps: + - name: APIsec Scan + uses: apisec-inc/apisec-run-scan@master + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./apisec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json new file mode 100644 index 0000000..9e7db58 --- /dev/null +++ b/code-scanning/properties/apisec-scan.properties.json @@ -0,0 +1,24 @@ +{ + "name": "APIsec Scan", + "creator": "APIsec", + "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/apisec.svg b/icons/apisec.svg new file mode 100644 index 0000000..664dfa9 --- /dev/null +++ b/icons/apisec.svg @@ -0,0 +1,17 @@ + + + Group + + + + \ No newline at end of file From 6439d558f42430c1a7e94c9ca7aa587dcbe8d1ed Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 21:14:54 +0530 Subject: [PATCH 2/3] Updated the names as per the pull request checklist. --- code-scanning/apisec-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 55356ad..67937ac 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -32,21 +32,23 @@ on: # Triggers the workflow on push or pull request events but only for the $default-branch branch # Customize trigger events based on your DevSecOps processes. push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] + schedule: + - cron: $cron-weekly # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - Trigger-APIsec-Scan: + Trigger APIsec scan: runs-on: ubuntu-latest steps: - - name: APIsec Scan - uses: apisec-inc/apisec-run-scan@master + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} @@ -57,7 +59,7 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import Results + - name: Import results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./apisec-results.sarif \ No newline at end of file From 3f39a5a76b03f05e551caec5165369544e4bf35f Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 1 Dec 2021 13:27:02 +0530 Subject: [PATCH 3/3] Removed the unwanted space in actions file. Updated the logo to have only the shield portion. --- code-scanning/apisec-scan.yml | 1 - icons/apisec.svg | 16 ++++------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 67937ac..3aa06ca 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -58,7 +58,6 @@ jobs: apisec-project: "VAmPI" # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import results uses: github/codeql-action/upload-sarif@v1 with: diff --git a/icons/apisec.svg b/icons/apisec.svg index 664dfa9..8b2760b 100644 --- a/icons/apisec.svg +++ b/icons/apisec.svg @@ -1,17 +1,9 @@ - - Group + + Fill 11 - \ No newline at end of file