bright-scan #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: bright-scan | |
| on: workflow_dispatch | |
| jobs: | |
| start_and_wait_scan: | |
| runs-on: ubuntu-20.04 | |
| container: node:20 | |
| name: A job to run a BrightSec scan | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - run: | | |
| apt update -qq --fix-missing | |
| apt install -y --no-install-recommends nodejs npm make g++ | |
| npm install -g @brightsec/cli --unsafe-perm=true | |
| apt-get install jq -y | |
| apt-get install curl -y | |
| - name: Save environment variables | |
| run: | | |
| printf "BRIGHT_TOKEN=${{ secrets.BRIGHT_TOKEN }}\nPROJECT=${{ secrets.BRIGHT_PROJECT }}\nBC_LESSB_AUTH=${{ secrets.BRIGHT_AUTH }}" > .env | |
| cat .env | |
| - run: sleep 3s | |
| - name: Start Brightsec Scan π | |
| id: start | |
| run: | | |
| SCAN_ID=$(bright-cli scan:run --token ${{ secrets.BRIGHT_TOKEN }} --name "π BrokenCrystals for a '${GITHUB_REF##*/}' branch #${GITHUB_RUN_NUMBER}" --smart true --param query fragment body --module dast --test amazon_s3_takeover jwt broken_saml_auth cookie_security directory_listing email_injection file_upload full_path_disclosure graphql_introspection header_security html_injection http_method_fuzzing improper_asset_management insecure_tls_configuration ldapi lfi nosql open_cloud_storage open_database osi rfi secret_tokens ssti server_side_js_injection ssrf sqli version_control_systems xpathi business_constraint_bypass date_manipulation excessive_data_exposure id_enumeration mass_assignment retire_js --crawler https://qa.brokencrystals.com/ --auth ${{ secrets.BRIGHT_AUTH }} --project ${{ secrets.BRIGHT_PROJECT }} --cluster app.brightsec.com) | |
| echo "SCAN_ID=$SCAN_ID" >> $GITHUB_ENV | |
| - name: Get the output scan url π | |
| run: | | |
| printf "Scan was started, check the details at https://app.brightsec.com/scans/$SCAN_ID" | |
| - name: Wait for issues β³ | |
| run: | | |
| POLLING_RESULT=$(bright-cli scan:polling --interval 30s --timeout 240m --token ${{ secrets.BRIGHT_TOKEN }} --breakpoint high_issue $SCAN_ID --cluster app.brightsec.com) | |
| echo "POLLING_RESULT=$POLLING_RESULT" >> $GITHUB_ENV | |
| - name: Stop Scan π | |
| continue-on-error: true | |
| if: ${{ failure() }} | |
| run: | | |
| printf "Polling result was $POLLING_RESULT" | |
| bright-cli scan:stop --token ${{ secrets.BRIGHT_TOKEN }} $SCAN_ID --cluster app.brightsec.com |