GitHub Action
Prevasio Container Security
AlgoSec Prevasio CI/CD Container Security solution is an extensible security plugin platform that provides an automated scan for Docker containers. AlgoSec Prevasio will build, simulate runtime, and scan the image statically and dynamically for security risks. This is integrated into the user's GitHub repository CI process. The action is available only to registered AlgoSec Prevasio CNAPP users. For the official trial, click here.
| Parameter | Description | Required | Default | Type |
|---|---|---|---|---|
| Repository secrets | ||||
GITHUB_TOKEN |
Github PAT for checking diffs and commenting | Yes | Secret Parameter | |
ALGOSEC_TENANT_ID |
AlgoSec Tenant ID | Yes | Secret Parameter | |
ALGOSEC_CLIENT_ID |
AlgoSec Client ID | Yes | Secret Parameter | |
ALGOSEC_CLIENT_SECRET |
AlgoSec Client Secret | Yes | Secret Parameter | |
| General Parameters | ||||
CF_REGION |
Algosec deployment region us/anz/eu | No | us | string |
WORKING_DIR |
Specify the GitHub repository's folder that contains the Dockerfile | No | . (root folder) | string |
DOCKERFILE_NAME |
Specify the Dockerfile name | No | Dockerfile | string |
MIN_LEVEL_TO_BLOCK_PR |
Specify the minimum risk severity level to block the PR if at least one risk of this level is found | No | -1 (never block) | int |
Create Client ID and Client Secret in your Algosec Prevasio account using our user management module.
Add AlgoSec credentials to your GitHub repo's secrets.
Note:
- GitHub and AlgoSec credentials are mandatory in order to run the action
- If the
WORKING_DIR,DOCKERFILE_NAMEandMIN_LEVEL_TO_BLOCK_PRparameters, are not provided, the default values are taken - The severity levels for the
MIN_LEVEL_TO_BLOCK_PRare - Critical: 0, High: 1, Medium: 2. If it is set to -1, the PR won't be blocked - The branch name is also configurable. You can change the name of the branch under [on -> pull_request -> branches]
- The permissions assigned to the job are mandatory in order to enable it to read the repository content and to write the scan results as a comment in the PR
To enable the action to block the PR, follow these steps:
For the action to be defined as a required check, it must be run manually:
- Go to the repository Actions tab
- Choose the workflow that runs algosec-prevasio-cicd-container-security job
- Run the workflow
Create a new branch protection rule to define the action as a required check:
- Go to the repository Settings tab
- Click on Branches on the left sidebar
- Click Add rule / Add branch protection rule
- Specify the branch the action runs on
- Enable Require status checks to pass before merging
- Add Algosec Prevasio CI/CD Container Security as a required check
- Create the rule
name: 'Your Repo CI/CD Yaml Workflow'
on:
pull_request:
branches:
- 'main'
workflow_dispatch:
jobs:
algosec-prevasio-cicd-container-security:
name: Algosec Prevasio CI/CD Container Security
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Algosec Prevasio CI/CD Container Security
uses: algosec/[email protected]
env:
# Github's Private Access Token
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# AlgoSec credentials
ALGOSEC_TENANT_ID: ${{ secrets.CF_TENANT_ID }}
ALGOSEC_CLIENT_ID: ${{ secrets.CF_CLIENT_ID }}
ALGOSEC_CLIENT_SECRET: ${{ secrets.CF_CLIENT_SECRET }}
# General parameters
WORKING_DIR: .
DOCKERFILE_NAME: Dockerfile
MIN_LEVEL_TO_BLOCK_PR: 1
Output(screenshots)
