-
Notifications
You must be signed in to change notification settings - Fork 0
40 lines (38 loc) · 2.35 KB
/
bright-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: bright-scan
on: workflow_dispatch
jobs:
start_and_wait_scan:
runs-on: ubuntu-20.04
container: node:20
name: A job to run a BrightSec scan
steps:
- uses: actions/checkout@v2
- run: |
apt update -qq --fix-missing
apt install -y --no-install-recommends nodejs npm make g++
npm install -g @brightsec/cli --unsafe-perm=true
apt-get install jq -y
apt-get install curl -y
- name: Save environment variables
run: |
printf "BRIGHT_TOKEN=${{ secrets.BRIGHT_TOKEN }}\nPROJECT=${{ secrets.BRIGHT_PROJECT }}\nBC_LESSB_AUTH=${{ secrets.BRIGHT_AUTH }}" > .env
cat .env
- run: sleep 3s
- name: Start Brightsec Scan 🏁
id: start
run: |
SCAN_ID=$(bright-cli scan:run --token ${{ secrets.BRIGHT_TOKEN }} --name "💎 BrokenCrystals for a '${GITHUB_REF##*/}' branch #${GITHUB_RUN_NUMBER}" --smart true --param query fragment body --module dast --test amazon_s3_takeover jwt broken_saml_auth cookie_security directory_listing email_injection file_upload full_path_disclosure graphql_introspection header_security html_injection http_method_fuzzing improper_asset_management insecure_tls_configuration ldapi lfi nosql open_cloud_storage open_database osi rfi secret_tokens ssti server_side_js_injection ssrf sqli version_control_systems xpathi business_constraint_bypass date_manipulation excessive_data_exposure id_enumeration mass_assignment retire_js --crawler https://qa.brokencrystals.com/ --auth ${{ secrets.BRIGHT_AUTH }} --project ${{ secrets.BRIGHT_PROJECT }} --cluster app.brightsec.com)
echo "SCAN_ID=$SCAN_ID" >> $GITHUB_ENV
- name: Get the output scan url 🔗
run: |
printf "Scan was started, check the details at https://app.brightsec.com/scans/$SCAN_ID"
- name: Wait for issues ⏳
run: |
POLLING_RESULT=$(bright-cli scan:polling --interval 30s --timeout 240m --token ${{ secrets.BRIGHT_TOKEN }} --breakpoint high_issue $SCAN_ID --cluster app.brightsec.com)
echo "POLLING_RESULT=$POLLING_RESULT" >> $GITHUB_ENV
- name: Stop Scan 🛑
continue-on-error: true
if: ${{ failure() }}
run: |
printf "Polling result was $POLLING_RESULT"
bright-cli scan:stop --token ${{ secrets.BRIGHT_TOKEN }} $SCAN_ID --cluster app.brightsec.com