Skip to main content

Run scans using GitHub Action and Drone Plugin steps

GitHub Actions is a GitHub feature that enables you to automate various event-driven activities, such as security scanning, in GitHub. This topic describes how to run GitHub Action scans and ingest the results into your Harness pipelines.

Important notes

  • GitHub Action security scans are useful primarily for integrated CI/STO pipelines, which require both CI and STO licenses. For more information, go to Migrate from GitHub Actions to Harness CI.

  • You can run scans using GitHub Action steps and Plugin steps.

  • The type of step to use depends on your build infrastructure. For Harness Cloud infrastructures, use Action steps. For Kubernetes infrastructures, you can use Action or Plugin steps.

  • GitHub and Harness use slightly different terminologies for similar concepts:

    • GitHub workflow = Harness pipeline
    • GitHub job = Harness Stage
    • GitHub step = Harness step

  • Harness recommends that you output your scan results to a data file in SARIF format. You can then use a Custom Ingestion step to ingest the results into your pipeline.

    For a description of the end-to-end workflow, go to Ingest SARIF scan results.

  • As described below, you need to translate settings from the GitHub Action YAML to the Harness pipeline YAML. It is good practice to configure these settings in the YAML editor.

  1. Open the CI or STO pipeline where you want to run the action, then go to the Build or Security Tests stage where you want to run the action.

  2. Click Add Step and then add a GitHub Action plugin step.

  3. Use Settings to specify the Github Action you want to use and to pass variables and attributes required by the Action.

    For information about the settings to set, go to the external scanner documentation.

    For a complete description of how to set up a GitHub Action Plugin step, go to Use the GitHub Action plugin step.

KeyDescriptionValue formatValue example
usesSpecify the Action's repo, along with a branch or tag.[repo]@[tag]ajinabraham/njsscan-action@master
withProvide a map of key-value pairs representing settings required by the action itself. At a minimum, make sure you configure the action to publish results in SARIF format. key: value args: . --sarif --output result.sarif || true
envSpecify a map of environment variables to pass to the Action. For example, you might need to pass an access token to scan a private repository.key: valueGITHUB_TOKEN: <+secrets.getValue("github_pat")>
  1. Add a Custom Ingest step and set it up to ingest the data file.

Example setup

This example uses the njsscan action to scan a container. As noted in the Github Code Scanning SARIF upload snippet, you can configure the args value to output the scan results to a SARIF file:

name: njsscan
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
njsscan:
runs-on: ubuntu-latest
name: njsscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: nodejsscan scan
id: njsscan
uses: ajinabraham/njsscan-action@master
# ARGUMENTS THAT SPECIFY THE SARIF OUTPUT FILE
with:
args: '. --sarif --output results.sarif || true'
- name: Upload njsscan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

Given this, you would set up the Action step in your Harness pipeline like this. You can then set up a CustomIngest step to ingest the trivy-results.sarif file that gets generated.

- step:
type: Action
name: njsscan
identifier: njsscan
spec:
uses: ajinabraham/njsscan-action@master
# ARGUMENTS THAT SPECIFY THE SARIF OUTPUT FILE
with:
args: . --sarif --output result.sarif || true
YAML pipeline example
pipeline:
projectIdentifier: myProject
orgIdentifier: myOrg
tags: {}
identifier: nodejs-repo-scane
name: NodeJS repo scan
properties:
ci:
codebase:
connectorRef: MY_REPO_CONNECTOR
repoName: https://github.com/OWASP/NodeGoat
build: <+input>
stages:
- stage:
name: njsscan
identifier: njsscan
type: CI
spec:
cloneCodebase: true
execution:
steps:
- step:
type: Action
name: njsscan
identifier: njsscan
spec:
uses: ajinabraham/njsscan-action@master
with:
args: . --sarif --output result.sarif || true
- step:
type: CustomIngest
name: CustomIngest_1
identifier: CustomIngest_1
spec:
mode: ingestion
config: default
target:
name: nodegoat
type: repository
variant: develop
advanced:
log:
level: info
ingestion:
file: /harness/result.sarif
platform:
os: Linux
arch: Amd64
runtime:
type: Cloud
spec: {}
sharedPaths:
- /shared/customer_artifacts/