StackSpot AI Security Action POC
This action identify vulnerabilities (SAST check) using StackSpot AI Remote Quick Command concept.
It returns a list of vulnerabilities for each file, following the structure below:
[
{
"title": "<TITLE>",
"severiity": "<SEVERITY>",
"correction": "<CORRECTION>",
"lines": "<LINES>"
}
]
Note: This action solely identifies files that have changed for events such as pull_request*, push, merge_group, release, etc (potentially the same events referred here). However, it doesn't detect pending uncommitted changes created during the workflow execution.
on:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: # mandatory to add comment on PR
issues: write
pull-requests: write
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: GuillaumeFalourd/stackspot-ai-security-action-poc@main
id: run
with:
CLIENT_ID: ${{ secrets.CLIENT_ID }}
CLIENT_KEY: ${{ secrets.CLIENT_KEY }}
CLIENT_REALM: stackspot
QC_SLUG: sast-rqc| Field | Mandatory | Default Value | Observation |
|---|---|---|---|
| CLIENT_ID | YES | N/A | StackSpot Client ID. |
| CLIENT_KEY | YES | N/A | StackSpot Client KEY. |
| CLIENT_REALM | YES | N/A | StackSpot Client Realm. |
| QC_SLUG | YES | N/A | StackSpot Remote Quick Command reference |
Pipeline
TODO
- DAST RQC.
- Add comment on PR.
- Generate vulnerability report (example)
- Add an action configuration file.
To run any StackSpot AI remote quick command, please check https://github.com/GuillaumeFalourd/stackspot-ai-rqc.