Sec1
ProductsBook A DemoContact Us
  • Sec1 Documentation
  • Quick Start
    • Login to Sec1
    • Your First Scan
    • View Results
  • Integration with Sec1
    • Registration & Login
      • Login with GITHub
      • New Registration
      • Forgot Password
      • Team Administration
    • Scan
    • Dashboard
    • Auto Fix
    • Integration with Sec1 CLI
      • Sec1 CLI (Command Line Interface) Overview
        • Config
        • Scan
        • Search
    • Integration with CI/CD
      • Jenkins Integration
      • Github Actions
      • Azure DevOps Extension for Sec1 Security
      • Azure DevOps Extension for Sec1 Container Image Scanner
      • GCP Code Build
      • Gitlab CI/CD Component
      • Integration with CircleCI Using the Sec1 Orb
      • Teamcity Plugin
    • How to Get Your API Key
  • External Integrations
    • GITHub Integration
    • Azure SCM Integration
    • Notifications
    • Generate Sec1 API Token
  • Static Application Security Testing
    • SAST Java Rules
      • GIT Leaks
      • Leakage of Information in Logger Message
      • Leakage of sensitive data in cookie
      • Leakage of sensitive data in exception message
      • Leakage of sensitive data to Airbrake
      • Leakage of sensitive data to Algolia
      • Leakage of Sensitive Data to Bugsnag
      • Leakage of Sensitive Data to ClickHouse
      • Leakage of Sensitive Data to Datadog
      • Leakage of Sensitive Data to ElasticSearch
      • Leakage of Sensitive Data to New Relic
      • Leakage of Sensitive Data to OpenTelemetry
      • Leakage of Sensitive Data to RollBar
      • Leakage of Sensitive Data to Sentry
      • Leakage of Sensitive Information in Exception Messages
      • Leakage of sensitive information in logger message
      • Missing authentication for database
      • Missing database password detected
      • Missing HTTP Only Option in Cookie Configuration
      • Missing Optimal Asymmetric Encryption Padding (OAEP)
      • Missing or Permissive SSL Hostname Verifier
      • Missing Protection against Session Fixation Attacks
      • Missing Secure option in cookie configuration
      • Missing signature verification of JWT
      • Missing SSL host check in SMTP
      • Missing Support for Integrity Check
      • Missing TLS validation
      • Observable Timing Discrepancy
      • Permissive Access-Control-Allow-Origin configuration
      • Permissive context mode for resources
      • Permissive cookie configuration
      • Permissive HTTP Only option in cookie configuration
      • Permissive Screenshot option set
      • Possible CLRF injection detected
      • Possible expression language (EL) injection detected
      • Possible HTTP Parameter Pollution detected
      • Unsanitized external input in SQL query
      • Unsanitized use of FileUpload filename
      • Unsanitized user input in 'eval' type function
      • Unsanitized user input in Access-Control-Allow-Origin
      • Unsanitized user input in AWS query
      • Unsanitized user input in code generation
      • Unsanitized user input in deserialization method
      • Unsanitized User Input in File Path Traversal
      • Unsanitized User Input in File Path
      • Unsanitized user input in format string detected
      • Unsanitized user input in HTTP request (SSRF)
      • Unsanitized user input in HTTP response (XSS)
      • Unsanitized user input in LDAP request
      • Unsanitized user input in logger message
      • Unsanitized User Input in OS Command
      • Unsanitized User Input in Output Stream (XSS)
      • Unsanitized User input in Redirect
      • Unsanitized User Input in Regular Expression
      • Unsanitized user input in SQL catalog configuration
      • Unsanitized user input in XML External Entity
      • Unsanitized User Input in XPath
      • Usage of bad hex conversion on digest array
      • Usage of CBC (Cipher Block Chaining) Mode with Padding
      • Usage of custom Digest class
      • Usage of dangerous permissions
      • Usage of ECB Cipher Mode
      • Usage of External Input in Code Reflection
      • Usage of hard-coded database password
      • Usage of hard-coded secret
      • Usage of insufficient random value
      • Usage of naive Socket class to create SSL Socket
      • Usage of permissive file permission ('other')
      • Usage of small key size with Blowfish encryption
      • Usage of Trusted and Untrusted Data inside the same Data Structure
      • Usage of vulnerable Apache Commons Collections InvokeTransformer class
      • Usage of weak encryption algorithm (DES)
      • Usage of Weak Hashing Library on a Password (SHA-1)
      • Usage of Weak Hashing library (MD5)
    • SAST JavaScript Rules
      • Leakage of hard-coded secret in JWT
      • Leakage of information in logger message
      • Leakage of sensitive data in dynamic file generation
      • Leakage of sensitive data in exception message
      • Leakage of sensitive data in JWT
      • Leakage of sensitive data in local storage
      • Leakage of sensitive data to Airbrake
      • Leakage of sensitive data to Algolia
      • Leakage of sensitive data to Bugsnag
      • Leakage of sensitive data to Datadog RUM
      • Leakage of sensitive data to Datadog
      • Leakage of sensitive data to ElasticSearch
      • Leakage of sensitive data to Google Analytics (React)
      • Leakage of sensitive data to Google Analytics
      • Leakage of sensitive data to Google Tag Manager
      • Leakage of sensitive data to HoneyBadger
      • Leakage of sensitive data to New Relic
      • Leakage of sensitive data to OpenTelemetry
      • Leakage of sensitive data to OpenAI
      • Leakage of sensitive data to RollBar
      • Leakage of sensitive data to Segment
      • Leakage of sensitive data to Sentry
      • Leakage of sensitive information in logger message
      • Missing Access Restriction on Directory Listing
      • Missing escape of HTML entities in Handlebars template compilation
      • Missing Helmet configuration on HTTP headers
      • Leakage of Sensitive Information in Exception Messages
      • Missing origin check in message handler
      • Missing Revoke Method on JWT
      • Missing Secure HTTP server Configuration
      • Missing Secure option in Cookie Configuration
      • Missing Server Configuration to reduce Server Fingerprinting
      • Missing TLS validation
      • Observable Timing Discrepancy
      • Permissive file assignment
      • Permissive origin in postMessage
      • Unsanitized dynamic input in file path traversal
      • Unsanitized dynamic input in file path
      • Unsanitized Dynamic input in OS Command
      • Unsanitized dynamic input in regular expression
      • Unsanitized input in NoSQL query
      • Unsanitized user input in 'eval' type function
      • Unsanitized user input in React inner HTML method (XSS)
      • Unsanitized user input in Access-Control-Allow-Origin
      • Unsanitized user input in deserialization method
      • Unsanitized user input in deserialization method
      • Unsanitized user input in dynamic HTML insertion (XSS)
      • Unsanitized user input in DynamoDB query
      • Unsanitized User Input in File Path Traversal
      • Unsanitized user input in format string
      • Unsanitized user input in HTTP request (SSRF)
      • Unsanitized user input in HTTP request (SSRF)
      • Unsanitized user input in HTTP response (XSS)
      • Unsanitized User input in HTTP Send file request
      • Unsanitized User input in OS command
      • Unsanitized user input in raw HTML strings (XSS)
      • Unsanitized User input in Redirect HAPI
      • Unsanitized user input in redirect
      • Unsanitized User input in Redirect
      • Unsanitized user input in regular expression
      • Unsanitized User Input in Resource Rendering
      • Unsanitized input in SQL query
      • Unsanitized User Input in UI
      • Unsanitized user input in XML parsing method
      • Usage of default Cookie Configuration
      • Usage of Default Session Cookie Configuration
      • Usage of externally controlled input to select code
      • Usage of hard-coded Passport Secret
      • Usage of hard-coded secret
      • Usage of Hard-Coded Secret
      • Usage of insecure HTTP connection
      • Usage of insecure websocket connection
      • Usage of insufficient random value
      • Usage of manual HTML sanitization (XSS)
      • Usage of Session on Static Asset (CSRF)
      • Usage of vulnerable DOMPurify package
      • Usage of vulnerable marked package
      • Usage of weak encryption algorithm (DES)
      • Usage of weak encryption algorithm on a password (DES)
      • Usage of weak encryption algorithm on a password (RC4)
      • Usage of weak encryption algorithm (RC4)
      • Usage of weak hashing library (MD5)
      • Usage of weak hashing library on a password (Argon2)
      • Usage of weak hashing library on a password (MD5)
      • Usage of weak hashing library on a password (SHA-1)
      • Usage of weak hashing library (SHA-1)
  • SBOM Scanner
    • Config
    • Scan
  • CISO Console
  • Pricing & Billing
  • CVE API
Powered by GitBook
On this page
  • Overview
  • Obtaining your Sec1 API Key
  • Examples
  • Sec1 Security Scan
  • Customizing Scan Thresholds
  1. Integration with Sec1
  2. Integration with CI/CD

Github Actions

PreviousJenkins IntegrationNextAzure DevOps Extension for Sec1 Security

Last updated 9 months ago

Overview

This GitHub Actions workflow integrates to conduct vulnerability scans on your GitHub projects. Sec1 is a powerful tool that helps identify security vulnerabilities within your codebase.

Obtaining your Sec1 API Key

To use Sec1 in your workflow, you need to obtain an API key. Follow these steps:

  1. Navigate to Sec1 Website:

    • Visit and log in using your GitHub credentials.

  2. Generate API Key:

    • In the "Settings" section, locate the "API key" and click on "Generate API key."

  3. Copy the API Token:

    • Copy the generated API token.

  4. Add API Key to GitHub Repository Secrets:

    • Add the copied API key to your GitHub repository secrets. Refer to for creating secrets at the repository level.

    • If you are working at the organization level, follow the instructions to create secrets for your organization.

  5. Set API Key Variable in GitHub Actions:

    • In your GitHub Actions workflow file (e.g., .github/workflows/main.yml), set the apikey variable using the secret you created:

      env:
        apikey: ${{ secrets.SEC1_API_KEY }}

Examples

Sec1 Security Scan

Below is an example of using the Sec1 Security Action in your GitHub Actions workflow. This example runs the Sec1 scan on each push to the repository.

In your repository, create .github folder & within .github folder create main.yaml. Copy below code in main.yaml file to add Sec1 Security.

name: Example workflow using Sec1 Security 
on: push
jobs:
  sec1-security:
    runs-on: ubuntu-latest
    name: Sec1 Security
    steps:
      - uses: actions/checkout@master
      - name: Run Sec1 Scan to check for vulnerabilities
        uses: sec0ne/actions/security@main
        with:
          apikey: ${{ secrets.SEC1_API_KEY }}

Customizing Scan Thresholds

Sec1 scan supports setting up threshold values. If the scan reports vulnerabilities exceeding the specified thresholds, Sec1 Security will mark the build as failed. You can set threshold values for different severities such as critical, high, medium, and low.

name: Example workflow using Sec1 Security 
on: push
jobs:
  sec1-security:
    runs-on: ubuntu-latest
    name: Sec1 Security
    steps:
      - uses: actions/checkout@master
      - name: Run Sec1 Scan to check for vulnerabilities and with threshold values
        uses: sec0ne/actions/security@main
        with:
          apikey: ${{ secrets.SEC1_API_KEY }}
          scanThreshold: critical=1 high=1

Now, your GitHub Actions workflow is set up to leverage Sec1 for continuous security checks in your projects.

Sec1
Sec1 portal
GitHub's documentation
here