Skip to main content

Use Contrast Scan for GitHub repositories

Use the Contrast Local Scan to scan GitHub repositories for vulnerabilities without uploading your files to Contrast.

Before you begin

  • Get your Contrast authentication details by selecting the user menu > User settings in the Contrast web interface. You need these details:

    • Organization ID

    • API key

    • Service key

  • You also need a valid Contrast username and the URL of your Contrast instance.

Steps

  1. Configure these GitHub secrets:

    • CONTRAST__API__API_KEY

    • CONTRAST__API__ORGANIZATION

    • CONTRAST__API__SERVICE_KEY

    • CONTRAST__API__USER_NAME

    • CONTRAST__API__URL

  2. Create a workflow or update an existing one to run this action against your code. This example shows how to run the action on push.

     name: Scan with local scanner

  on:
    push:
      branches:
        - 'main'

  permissions:
    contents: read

  jobs:
    scan:
      runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v3
        - uses: Contrast-Security-OSS/sast-local-scanner-action@v1.0.0
          with:
            apiUrl: ${{ secrets.CONTRAST__API__URL }}
            apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
            apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
            apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
            apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}

    The README contains additional examples of other inputs that you can add to your workflow.

Required inputs

  • apiUserName : A valid Contrast username.

  • apiKey: Your Contrast API key.

  • apiServiceKey: The Contrast service key.

  • apiOrgId: The Contrast organization ID,

Optional inputs

  • apiUrl : The URL of your Contrast instance.

    The default value is: https://app-agents.contrastsecurity.com/Contrast.

  • checks: If set, adds GitHub checks to the current commit based on any vulnerabilities found.

  • codeQuality: Passes the -q option to the Contrast local scan engine to include code quality rules in the scan.

  • label: A label to associate with the current scan.

    The default value is the current ref , for example: refs/heads/main.

  • memory: Memory setting passed to the underlying scan engine. The default value is 2G.

  • path: The path the Contrast local scan engine uses for the scan.

    The default value is the current repository path.

  • projectName: The name of a project to associate with the scan.

    The default value is the current GitHub repository name, for example, mycompany/myrepo

  • resourceGroup: Passes the -r option to the Contrast local scan engine to associate newly created projects with the specified resource group.

  • severity: Set this to cause a build to fail if the scan finds vulnerabilities at this severity or higher.

    Valid values are critical, high, medium, low, note.

See also

Contrast Contrast Local Scan for latest details.

Contrast Scan local engine

In this section: