Skip to content
/ cabueta Public

🔒 Security Scanning for Github Actions; SAST, DAST, Secrets, and Dependencies

License

Notifications You must be signed in to change notification settings

gbrls/cabueta

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

Cabueta is a DevSecOps Security Scan tool made for Github. It performs Static analysis, Dependency scanning, Dynamic analysis, and Secrets scanning. It integrates with your project via Github Actions.

Cabueta was created to improve Security at VTEX. It solves the issue of Insecure CI/CD pipelines, integrating security directly with CI/CD. It provides clear and actionable output via Markdown, and the JSON output for each tool.

Sample report generated by cabueta.

Tools & Features

  • Secrets Scanning with Gitleaks

  • Dependency Scanning with osv-scanner

  • Static Code Analysis with Semgrep

  • Dynamic Application Security Testing with Nuclei

  • Access resources in the AWS using OpenID Connect. With Identity Federation it's possible to access resources in AWS from the Github Actions runner. One possible application is that for all repositories under an organization will send logs securely via POST to an AWS Lambda function, those POST requests will be authenticated by Github and AWS. More info here

Usage

To use cabueta as an Workflow:

name: cabueta
on:
  # Other options can be added here to make cabueta run on a per PR and per commit basis
  workflow_dispatch:

jobs:
  cabueta:
    # You can change version here from @main to a label such as @v1.0.1
    uses: gbrls/cabueta/.github/workflows/cabueta.yml@main
    with:
      # Turn this on if you want nuclei to test the target-url
      dast-check: false
      target-url: https://your-website-here.com
      
      # Configure and turn this on if you want to collect logs in your endpoint
      upload-logs: false
      aws-role: AWS_ROLE_HERE
      aws-region: AWS_REGION_HERE
      upload-url: https://endpoint-to-collect-logs-via-http-post.com

  print:
    runs-on: ubuntu-latest
    needs: cabueta
    steps:
    - name: Print output
      run: echo ${{ needs.cabueta.outputs.report }}

VTEX Winter Internship 2022

This tool was the project of my Internship Program at VTEX.

About

🔒 Security Scanning for Github Actions; SAST, DAST, Secrets, and Dependencies

Topics

Resources

License

Stars

Watchers

Forks