New: Add scan_dependencies and scan_secrets (#30)

README.md

@@ -48,7 +48,7 @@ jobs:
       - name: Compile Package
         run: mvn clean install
       - name: Scan with Endor Labs
-        uses: endorlabs/github-action@main
+        uses: endorlabs/github-action@v1.1.0
         with:
           namespace: "example"
 ```
@@ -63,19 +63,22 @@ The following input parameters are supported for the Endor Labs GitHub action:
 | `api_key` | Set the API key used to authenticate with Endor Labs. |
 | `api_secret` | Set the secret corresponding to the API key used to authenticate with Endor Labs. |
 | `enable_github_action_token` | Set to `false` if you prefer to use another form of authentication over GitHub action OIDC tokens. (Default: `true`) |
-| `enable_pr_comments` | Set to `true` to publish new findings as review comments. Must be set with `pr` and `github_token`. Additionally, the `issues: write` and `pull-requests: write` permissions must be set in the workflow. (Default: `false`) |
+| `enable_pr_comments` | Set to `true` to publish new findings as review comments. Must be set together with `pr` and `github_token`. Additionally, the `issues: write` and `pull-requests: write` permissions must be set in the workflow. (Default: `false`) |
 | `endorctl_checksum` | Set to the checksum associated with a pinned version of endorctl. |
 | `endorctl_version` | Set to a version of endorctl to pin this specific version for use. Defaults to the latest version. |
 | `export_scan_result_artifact` | Set to `false` to disable the json scan result artifact export. (Default: `true`) |
 | `gcp_service_account` | Set the target service account for GCP based authentication. GCP authentication is only enabled if this flag is set. Cannot be used with `api_key`. |
-| `github_token` | Set the GitHub token used to authenticate with GitHub. Must be provided if `enable_pr_comments` is set to `true` |
+| `github_token` | Set the token used to authenticate with GitHub. Must be provided if `enable_pr_comments` is set to `true` |
 | `log_level` | Set the log level. (Default: `info`) |
 | `log_verbose` | Set to `true` to enable verbose logging. (Default: `false`) |
 | `namespace` | Set to the namespace of the project that you are working with. (Required) |
 | `pr_baseline` | Set to the git reference that you are merging to, such as the default branch. Enables endorctl to compare findings so developers are only alerted to issues un the current changeset. Example: `pr_baseline: "main"` |
 | `pr` | Set to `false` to track this scan as a monitored version within Endor Labs, as opposed to a point in time policy and finding test for a PR. (Default: `true`) |
 | `run_stats` | Set to `false` to disable reporting of CPU/RAM/time scan statistics via `time -v` (may be required on Windows runners). (Default: `true`) |
 | `sarif_file` | Set to a location on your GitHub runner to output the findings in SARIF format. |
+| `scan_dependencies` | Scan git commits and generate findings for all dependencies. (Default: `true`) |
+| `scan_git_logs` | Perform a more complete and detailed scan of secrets in the repository history. Must be used together with `scan_secrets`. (Default: `false`) |
+| `scan_secrets` | Scan source code repository and generate findings for secrets. See also `scan_git_logs`. (Default: `false`) |
 | `scan_summary_output_type` | Set the desired output format to `table`, `json`, `yaml`, or `summary`. (Default: `json`) |
 | `tags` | Specify a list of user-defined tags to add to this scan. Tags can be used to search and filter scans later. |
 
@@ -87,7 +90,7 @@ Below is an example configuration using an Endor Labs API key:
 
 ```yaml
       - name: Scan with Endor Labs
-        uses: endorlabs/github-action@main
+        uses: endorlabs/github-action@v1.1.0
         with:
           namespace: "example"
           api_key: ${{ secrets.ENDOR_API_CREDENTIALS_KEY }}
@@ -99,7 +102,7 @@ Below is an example configuration using a GCP service account for keyless authen
 
 ```yaml
       - name: Scan with Endor Labs
-        uses: endorlabs/github-action@main
+        uses: endorlabs/github-action@v1.1.0
         with:
           namespace: "example"
           gcp_service_account: "<Insert_Your_Service_Account>@<Insert_Your_Project>.iam.gserviceaccount.com"
@@ -133,17 +136,21 @@ jobs:
           java-version: '17'
       - name: Endor Labs Scan Pull Request
         if: github.event_name == 'pull_request'
-        uses: endorlabs/github-action@main
+        uses: endorlabs/github-action@v1.1.0
         with:
           namespace: "example"
-          scan_summary_output_type: "json"
+          scan_dependencies: "true"
+          scan_secrets: "true"
+          scan_summary_output_type: "table"
           pr: "true"
           pr_baseline: "main"
       - name: Endor Labs Scan Push to main
-        if: github.event_name == 'push'
-        uses: endorlabs/github-action@main
+        if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+        uses: endorlabs/github-action@v1.1.0
         with:
           namespace: "example"
+          scan_dependencies: "true"
+          scan_secrets: "true"
           scan_summary_output_type: "table"
           pr: "false"
 ```

action.yml

@@ -40,6 +40,9 @@ inputs:
   scan_summary_output_type:
     description: "Set the desired output format to one of: `table`, `json`, `yaml`, or `summary` (default `json`)"
     default: "json"
+  scan_dependencies:
+    description: "Scan git commits and generate findings for all dependencies (default `true`)"
+    default: "true"
   # Deprecated
   ci_run:
     description: "Deprecated, please use `pr` instead"
@@ -73,11 +76,18 @@ inputs:
     description: "Set to a location on your GitHub runner to output the findings in SARIF format"
   # Use this input parameter to enable creating PR comments. This is applicable only when a workflow is triggered by a PR
   enable_pr_comments:
-    description: "Set to `true` to publish new findings as review comments. Must be set with `pr` and `github_token`. Additionally, `issues:write` and `pull-requests:write` permissions must be set in the workflow (default `false`)"
+    description: "Set to `true` to publish new findings as review comments. Must be set together with `pr` and `github_token`. Additionally, the `issues:write` and `pull-requests:write` permissions must be set in the workflow (default `false`)"
     default: "false"
   # Use this parameter to provide the GITHUB_TOKEN for your repo
   github_token:
-    description: "Provide your github token here. This is required if `enable_pr_comments` when set to `true`"
+    description: "Set the token used to authenticate with GitHub. Required if `enable_pr_comments` is set to `true`"
+  # Secrets
+  scan_secrets:
+    description: "Scan source code repository and generate findings for secrets. See also `scan_git_logs` (default `false`)"
+    default: "false"
+  scan_git_logs:
+    description: "Perform a more complete and detailed scan of secrets in the repository history. Must be used together with `scan_secrets` (default `false`)"
+    default: "false"
 runs:
   using: "node16"
   main: "dist/index.js"

dist/index.js

@@ -22028,6 +22028,9 @@ function run() {
             const SCAN_PR = core.getBooleanInput("pr");
             const SCAN_PR_BASELINE = core.getInput("pr_baseline");
             const SCAN_TAGS = core.getInput("tags");
+            const SCAN_DEPENDENCIES = core.getInput("scan_dependencies");
+            const SCAN_SECRETS = core.getInput("scan_secrets");
+            const SCAN_GIT_LOGS = core.getInput("scan_git_logs");
             const RUN_STATS = core.getInput("run_stats");
             const ADDITIONAL_ARGS = core.getInput("additional_args");
             const EXPORT_SCAN_RESULT_ARTIFACT = core.getBooleanInput("export_scan_result_artifact");
@@ -22062,6 +22065,23 @@ function run() {
             ];
             if (API)
                 options.push(`--api=${API}`);
+            if (!SCAN_DEPENDENCIES && !SCAN_SECRETS) {
+                core.error("At least one of `scan_dependencies` or `scan_secrets` must be enabled");
+            }
+            if (SCAN_DEPENDENCIES) {
+                options.push(`--dependencies=true`);
+            }
+            if (SCAN_SECRETS) {
+                options.push(`--secrets=true`);
+            }
+            if (SCAN_GIT_LOGS) {
+                if (!SCAN_SECRETS) {
+                    core.error("Please also enable `scan_secrets` to scan Git logs for secrets");
+                }
+                else {
+                    options.push(`--git-logs=true`);
+                }
+            }
             if (ENABLE_GITHUB_ACTION_TOKEN) {
                 options.push(`--enable-github-action-token=true`);
             }
@@ -22079,7 +22099,7 @@ function run() {
                     core.error("The `ci-run` option has been renamed to `pr` and must be enabled for PR comments. Remove the `ci-run` configuration or disable PR comments");
                 }
                 else if (!GITHUB_TOKEN) {
-                    core.error("GITHUB_TOKEN is required for PR comments");
+                    core.error("`github_token` is required to enable PR comments");
                 }
                 else {
                     options.push(`--enable-pr-comments=true`, `--github-pr-id=${GITHUB_PR_ID}`, `--github-token=${GITHUB_TOKEN}`);

src/scan.ts

@@ -171,6 +171,9 @@ async function run() {
     const SCAN_PR = core.getBooleanInput("pr");
     const SCAN_PR_BASELINE = core.getInput("pr_baseline");
     const SCAN_TAGS = core.getInput("tags");
+    const SCAN_DEPENDENCIES = core.getInput("scan_dependencies");
+    const SCAN_SECRETS = core.getInput("scan_secrets");
+    const SCAN_GIT_LOGS = core.getInput("scan_git_logs");
     const RUN_STATS = core.getInput("run_stats");
     const ADDITIONAL_ARGS = core.getInput("additional_args");
     const EXPORT_SCAN_RESULT_ARTIFACT = core.getBooleanInput(
@@ -219,6 +222,28 @@ async function run() {
 
     if (API) options.push(`--api=${API}`);
 
+    if (!SCAN_DEPENDENCIES && !SCAN_SECRETS) {
+      core.error(
+        "At least one of `scan_dependencies` or `scan_secrets` must be enabled"
+      );
+    }
+    if (SCAN_DEPENDENCIES) {
+      options.push(`--dependencies=true`);
+    }
+    if (SCAN_SECRETS) {
+      options.push(`--secrets=true`);
+    }
+
+    if (SCAN_GIT_LOGS) {
+      if (!SCAN_SECRETS) {
+        core.error(
+          "Please also enable `scan_secrets` to scan Git logs for secrets"
+        );
+      } else {
+        options.push(`--git-logs=true`);
+      }
+    }
+
     if (ENABLE_GITHUB_ACTION_TOKEN) {
       options.push(`--enable-github-action-token=true`);
     } else if (API_KEY && API_SECRET) {
@@ -237,7 +262,7 @@ async function run() {
           "The `ci-run` option has been renamed to `pr` and must be enabled for PR comments. Remove the `ci-run` configuration or disable PR comments"
         );
       } else if (!GITHUB_TOKEN) {
-        core.error("GITHUB_TOKEN is required for PR comments");
+        core.error("`github_token` is required to enable PR comments");
       } else {
         options.push(
           `--enable-pr-comments=true`,