+
Skip to content

Ostorlab/ostorlab_actions

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ostorlab Github Action

Ostorlab ci_can for GithubAction

Ostorlab scans mobile applications (Android APK, AAB, iOS IPA) and web API and Web Applications for security and privacy issues. It provides full coverage by detecting issues on both the client-side and service-side, covering both the application code and all of its dependencies.

Ostorlab supports all major frameworks, both native and multi-platform. This includes Java, Kotlin, Objective C, Swift, Flutter, Cordova, React Native, Ionic and Xamarin.

Ostorlab provides both static and dynamic analysis capabilities, detecting over 500 vulnerability classes, like hardcoded secrets, privacy data leakage, untrusted input inject, outdated dependencies with a database of over 120k known vulnerable dependency.

Getting Started

To use Ostorlab Github Action, the first step is to generate an API key. To do so, simply follow the following steps:

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key (You can add a name and an expiry date to your key), do not forget to click the save button to save your key.

api key

Once you have generated your API, add it to GitHub Secrets. Make sure the name matches the secrets. in the YAML file. You follow these steps for more detailed instructions Github:Creating encrypted secrets for a repository

The next steps is to a update your workflow to add an Ostorlab step to trigger the scan. Below is a sample performing a rapid scan on an Android APK and failing the pipeline on vulnerabilities with HIGH severity.

on: [push]
jobs:
  ostorlab_test:
    runs-on: ubuntu-latest
    name: Test ostorlab ci actions.
    steps:
      - uses: actions/checkout@v2
      - name: build ostorlab.apk
        run: mv InsecureBankv2.apk ostorlab.apk
      - name: Launch Ostorlab scan
        id: start_scan
        uses: Ostorlab/ostorlab_actions@v1.1.1
        with:
          scan_profile: fast_scan # Specify which scan profile to use for the scan (check scan section).
          asset_type: android-apk # type of asset to scan.
          target: ostorlab.apk # path for target tto scan.
          scan_title: title_scan_ci # type a title for your scan.
          ostorlab_api_key: ${{ secrets.ostorlab_api_key }} # your secret api key.
          break_on_risk_rating: HIGH # Wait for the scan results and force the action to fail if the scan risk is higher
          max_wait_minutes: 30
      - name: Get scan id
        run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"

Scanning Web Applications

Ostorlab also supports scanning web applications. You can specify a single web application or multiple web applications to scan. Below is an example of scanning multiple web applications:

on: [push]
jobs:
  ostorlab_web_scan:
    runs-on: ubuntu-latest
    name: Test ostorlab web scan.
    steps:
      - uses: actions/checkout@v2
      - name: Launch Ostorlab web scan
        id: start_scan
        uses: Ostorlab/ostorlab_actions@v1.1.1
        with:
          scan_profile: full_web_scan
          asset_type: link
          target: --url https://target1.co --url https://target2.ostorlab.co --url https://target3.ostorlab.co --url https://target4.ostorlab.co
          scan_title: web_scan_ci
          ostorlab_api_key: ${{ secrets.ostorlab_api_key }}
          break_on_risk_rating: HIGH
          max_wait_minutes: 60
      - name: Get scan id
        run: echo "Scan Created with id ${{ steps.start_scan.outputs.scan_id }} you can access the full report at https://report.ostorlab.co/scan/${{ steps.start_scan.outputs.scan_id }}/"

When scanning web applications, make sure to:

  • Use scan_profile: full_web_scan for comprehensive web scanning
  • Set asset_type: link to indicate you're scanning web applications
  • In the target field, list all URLs you want to scan using the --url flag before each URL
  • For example: target: --url https://target1.co --url https://target2.ostorlab.co --url https://target3.ostorlab.co --url https://target4.ostorlab.co

This configuration allows you to scan multiple web applications in a single job, making it efficient to test related web services together.

Sbom/Lock Files

You can supply your SBOM/Lock files to enhance the scan analysis, to do so use the extra input to pass --sbom***, for example to add package-lock.json file use the following example:

extra:  --sbom package-lock.json

Here you can see the list of the supported files:

  • buildscript-gradle.lockfile
  • Cargo.lock,
  • composer.lock,
  • conan.lock,
  • Gemfile.lock,
  • go.mod,
  • gradle.lockfile,
  • mix.lock,
  • Pipfile.lock,
  • package-lock.json,
  • packages.lock.json,
  • pnpm-lock.yaml,
  • poetry.lock,
  • pom.xml,
  • pubspec.lock,
  • requirements.txt,
  • yarn.lock,

Test Credentials

Ostorlab supports performing authenticated testing with either simple login password or custom inputs identified with name/label and passing value.

To pass test credentials, since the Github YAML Action do not support passing complex objects, you can use the extra input to pass --test-credetials-***. For instance to add login/password and a custom credentials with custom names and values, add the following input:

extra: --test-credentials-login test_login --test-credentials-password test_pass --test-credentials-role ci_role --test-credentials-name foo1 --test-credentials-value bar1 --test-credentials-name foo2 --test-credentials-value bar2

Action inputs

The Github actions the following options:

  • scan_profile (['fast_scan', 'full_scan', 'full_web_scan']): [Required] - Specifies the scan profile ( fast_scan for fast static only analysis, full_scan for full static, dynamic and backend coverage, and full_web_scan for web application scanning).
  • asset_type (['android-apk', 'android-aab', 'ios-ipa', 'link']): [Required] - Target asset, Ostorlab supports APK, AAB, IPA, and web applications (link). For web applications, use link.
  • target: [Required] - For mobile applications: path to the file to scan. For web applications: list of URLs to scan using the format --url https://example1.com --url https://example2.com.
  • ostorlab_api_key: [Required] - API Key from Ostorlab portal.
  • scan_title: [Optional] - A scan title to identify your scan.
  • break_on_risk_rating (['HIGH', 'MEDIUM', 'LOW','POTENTIALLY]): [Optional] - Wait for the scan results and force the action to fail if the risk rating match or is higher than the provided value.
  • max_wait_minutes: [Optional] - Max wait time in minutes, pipeline will not fail if the scan times out.
  • extra: [Optional] - Extra argument flags to pass to the Ostorlab ci-scan CLI. Common use case is passing the scan test credentials.

Action outputs

  • scan_id - The scan id is accessible using the following syntax ${{ steps.STEP_ID.outputs.scan_id }}.

More details

About

Ostorlab Github Actions to complement your CI/CD with Security Testing.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 7

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载