SCAN-5473 : Add initial local scanner action.

.eslintrc.json

@@ -0,0 +1,11 @@
+{
+  "env": {
+    "es2021": true,
+    "node": true
+  },
+  "extends": ["eslint:recommended", "prettier"],
+  "parserOptions": {
+    "ecmaVersion": "latest",
+    "sourceType": "module"
+  }
+}

.github/CODEOWNERS

@@ -0,0 +1,16 @@
+# Lines starting with '#' are comments.
+# Each line is a file pattern followed by one or more owners.
+
+# More details are here: https://help.github.com/articles/about-codeowners/
+
+# The '*' pattern is global owners.
+
+# Order is important. The last matching pattern has the most precedence.
+# The folders are ordered as follows:
+
+# In each subsection folders are ordered first by depth, then alphabetically.
+# This should make it easy to add new rules without breaking existing ones.
+
+# Global rule:
+# SAST Developers
+*   @Contrast-Security-OSS/sast-admins

.github/workflows/release.yaml

@@ -0,0 +1,55 @@
+name: Release local scanner action
+
+on:
+  push:
+    branches:
+      - 'main'
+
+permissions:
+  contents: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install modules
+        run: npm ci
+      - name: eslint
+        run: npm run lint:check
+
+  build-action-docker-image:
+    needs: [ lint ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Build local scanner action image
+        run: |
+          docker build .
+  
+  verify-action:
+    runs-on: ubuntu-latest
+    needs: [ build-action-docker-image ]
+    steps:
+      - uses: actions/checkout@v3
+      - uses : ./
+        name: Run action against repoository
+        with:
+          apiUrl: ${{ secrets.CONTRAST__API__URL }}
+          apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
+          apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
+          apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
+          apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
+          severity: medium
+          path: src
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [ test-action ]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install modules
+        run: npm run ci
+      - name: release
+        run: npm run release
+

.github/workflows/validate.yaml

@@ -0,0 +1,47 @@
+name: Validate local scanner action
+
+on:
+  push:
+    branches:
+    - '*'
+    - '!main'
+
+permissions:
+  contents: read
+  checks: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install modules
+        run: npm ci
+      - name: eslint
+        run: npm run lint:check
+
+  build-action-docker-image:
+    needs: [ lint ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Build local scanner action image
+        run: |
+          docker build .
+  
+  verify-action:
+    runs-on: ubuntu-latest
+    needs: [ build-action-docker-image ]
+    steps:
+      - uses: actions/checkout@v3
+      - uses : ./
+        name: Run action against repoository
+        with:
+          apiUrl: ${{ secrets.CONTRAST__API__URL }}
+          apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
+          apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
+          apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
+          apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
+          checks: true
+          severity: medium
+          path: src

.gitignore

@@ -0,0 +1,2 @@
+node_modules
+.vscode

Dockerfile

@@ -0,0 +1,11 @@
+FROM alpine:3.19
+
+RUN apk upgrade && \
+  apk add nodejs npm openjdk11-jre-headless tar
+
+COPY package.json /contrast-local-scanner/package.json
+RUN cd /contrast-local-scanner && npm i --production
+
+COPY src /contrast-local-scanner/src
+
+ENTRYPOINT ["node", "/contrast-local-scanner/src/index.js"]

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright [2024] [Contrast Security, Inc]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

README.md

@@ -1,2 +1,120 @@
-# contrast-local-scan-action
-Contrast Local Scanner Github action
+# Use Contrast Local Scanner to analyze your code
+
+This GitHub action lets you use Contrast Local Scanner to detect vulnerabilities in your code without uploading your code to Contrast's servers.
+
+## Supported Languages
+- ASP.NET
+- C
+- C#
+- C++
+- COBOL
+- GO
+- HTML
+- Java
+- JavaScript/TypeScript
+- JSP
+- Kotlin
+- PHP
+- Python
+- Scala
+- VB.NET
+
+## **Initial steps for using the action**
+If you are not familiar with GitHub actions read the
+[GitHub Actions](https://docs.github.com/en/actions) documentation to learn what GitHub Actions are and how to set them
+up. After which, complete the following steps:
+
+1. Configure the following GitHub secrets
+
+   - CONTRAST__API__API_KEY
+   - CONTRAST__API__ORGANIZATION
+   - CONTRAST__API__SERVICE_KEY
+   - CONTRAST__API__USER_NAME
+   - CONTRAST__API__URL
+
+  ![secrets](https://github.com/Contrast-Security-OSS/contrast-local-scan-action/assets/6448060/a40f01a3-b179-4837-abd2-df91a5a220fb)
+
+2. Get your authentication details for the secrets from the 'User Settings' menu in the Contrast web interface: You will need the following 
+
+    - Organization ID
+    - Your API key
+    - Service key
+    - User name
+    - You will also need the URL of your Contrast UI host. This input includes the protocol section of the URL (https://).
+
+    ![credentials](https://github.com/Contrast-Security-OSS/contrast-local-scan-action/assets/6448060/7a123c22-1f5f-4091-90d3-f297959d1e20)
+
+3. Create a workflow, or update an existing one to run this action against your code (for example, on push)
+
+   ```yaml
+     name: Scan with local scanner
+
+     on:
+       push:
+         branches:
+           - 'main'
+
+     permissions:
+       contents: read
+
+     jobs:
+       scan:
+         runs-on: ubuntu-latest
+         steps:
+           - uses: actions/checkout@v3
+           - uses: Contrast-Security-OSS/[email protected]
+             with:
+               apiUrl: ${{ secrets.CONTRAST__API__URL }}
+               apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
+               apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
+               apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
+               apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
+   ```
+
+4. To fail the step based on vulnerabilities being found at a severity or higher, set the severity option to one of critical, high, medium, low, note.
+
+   *Note: this is based on the aggregated vulnerabilities found at the project level.*
+
+   ```yaml
+     scan:
+     runs-on: ubuntu-latest
+       steps:
+         - uses: actions/checkout@v3
+         - uses: Contrast-Security-OSS/[email protected]
+         with:
+           apiUrl: ${{ secrets.CONTRAST__API__URL }}
+           apiUserName: ${{ secrets.CONTRAST__API__USER_NAME }}
+           apiKey: ${{ secrets.CONTRAST__API__API_KEY }}
+           apiServiceKey: ${{ secrets.CONTRAST__API__SERVICE_KEY }}
+           apiOrgId: ${{ secrets.CONTRAST__API__ORGANIZATION }}
+           severity: high
+   ```
+
+5. To add GitHub checks to the current commit (e.g. the current PR), set the checks option to true.
+
+   *Note: You need the checks: write permission to be set if enabling this.*
+
+   ![checks](https://github.com/Contrast-Security-OSS/contrast-local-scan-action/assets/6448060/d39d14c4-1f05-4ac6-8e3d-c09912ed9559)
+
+## Required Inputs
+
+- apiUserName : A valid user name from the Contrast platform.
+- apiKey : An API key from the Contrast platform.
+- apiServiceKey : An API Service Key from the Contrast platform
+- apiOrgId : The ID of your organization in Contrast.
+
+## Optional Inputs
+
+- apiUrl : Url of your Contrast instance, defaults to https://app.contrastsecurity.com/
+- checks : If set, GitHub checks will be added to the current commit based on any vulnerabilities found.
+- codeQuality : Passes the -q option to the Contrast local scanner to include code quality rules in the scan.
+- label : Label to associate with the current scan. Defaults to the current ref e.g. **refs/heads/main**
+- memory : Memory setting passed to the underlying scan engine. Defaulted to 2g.
+- path : Path to scan with Contrast local scanner. Defaults to the current repository path.
+- projectName : Project to associate scan with. Defaults to current GitHub repository name e.g. **Contrast-Security-OSS/contrast-local-scan-action**
+- resourceGroup : Passes the -r option to the Contrast local scanner to associate newly created projects with the specified resource group.
+- severity : Set this to cause the build to fail if vulnerabilities are found at this severity or higher. Valid values are critical, high, medium, low, note.
+
+
+
+

action.yml

@@ -0,0 +1,62 @@
+name: Contrast Local Scan
+description: Runs Contrast local scanner against the current repository
+inputs:
+  apiUrl:  # id of input
+    description: Url of your contrast instance, defaults to https://app.contrastsecurity.com/
+    required: true
+    default: 'https://app.contrastsecurity.com/'
+  apiUserName:
+    description: User name for authentication
+    required: true
+  apiKey:
+    description: API Key from user settings
+    required: true
+  apiServiceKey:
+    description: Service Key from user settings
+    required: true
+  apiOrgId:
+    description: Organization ID from user settings
+    required: true
+  checks:
+    description: > 
+      If set, checks will be added to the current commit based on any vulnerabilities found.
+      Requires the 'checks: write' permission.
+    required: false
+    default: false
+  codeQuality:
+    description: Set this to true to include code quality rules when executing source code scanner.
+    required: false
+    default: false
+  label:
+    description: Label to associate with the current scan. Defaults to the current ref e.g. refs/heads/main
+  memory:
+    description: Memory setting passed to the underlying scan engine. Defaulted to 2g
+    required: false
+  path:
+    description: Path to scan with local scanner. Defaults to the current repository path.
+    required: false
+  projectName:
+    description: Project to associate scan with. Defaults to current github repository name e.g. Example-ORG/example-repo
+    required: false
+  resourceGroup:
+    description: Resource group to assign newly created projects to.
+    required: false
+  strategy:
+    description: >
+      Used in conjuction with severity or checks, set this valid to fail the build based on agreggated project
+      vulnerabilities or scan level. Valid values are "project" or "scan". Defaults to "project".
+    required: false
+    default: "project"
+  severity: 
+    description: > 
+      Set this to cause the build to fail if vulnerabilities are found exceeding this severity or higher. 
+      Valid values are CRITICAL, HIGH, MEDIUM, LOW, NOTE.
+    required: false
+  token:
+    description: >
+      GitHub token for GitHub API requests. Defaults to GITHUB_TOKEN.
+    required: true
+    default: ${{ github.token }}
+runs:
+  using: 'docker'
+  image: 'Dockerfile'