Github Actions Integration

Github Action Integration Setup Guide for API Scanner

Overview

This guide walks you through integrating API Scanner with your github actions workflow to automatically scan APIs for security vulnerabilities during your build process.

What You Can Achieve

  1. Automated Security Scanning: Run security scans automatically during your github actions workflow builds
  2. Pipeline Control: Choose whether to block or continue builds based on scan results
  3. Continuous Monitoring: Automatically scan newly added APIs in your collection
  4. Real-time Results: Get immediate feedback on your API security posture

Before You Start

Make sure you have the following ready:

Required Setup

  1. Active Github Actions workflow: You need a working github actions workflow setup.
  2. API Collection in GitHub: Your API collection file should be stored in a GitHub repository that gets updated with new APIs
  3. Existing API Scanner Collection: You must have the same API collection already set up in API Scanner with proper authentication configured
  4. Include refresh tokens if your authentication tokens have short expiry times
  5. Running API Scanner: The API Scanner server must be running during pipeline builds

Step-by-Step Integration Process

Step 1: Configure Integration Settings

 1.Access Integration Module

  1. Open API Scanner in your browser
  2. Navigate to the Integration section

 2.Select github actions Integration

  1. From the available integrations list, click on github actions

 3.Fill in Connection Details

 4.Enter the following information:

FieldDescriptionExample
Integration TitleA descriptive name for this integration"Production API Security Scan"
User NameYour name or the integration creator's name"John Doe"
Host URLThe URL where API Scanner is hostedhttp://103.81.38.252:9090/ or http://localhost:9090/
Repository URLYour GitHub repository URL containing the API collectionhttps://github.com/yourorg/api-collections
Branch NameThe branch where your API collection is storedmain, develop, or hotfix
API Collection File NameThe exact filename of your API collectionHair Store API-06-09-2024.json

 5.Save Configuration

  1. Click the "Create Connection" button to save your settings

Step 2: Configure Pipeline Behavior

 1.Select Your Collection

  1. Choose the API collection you want to integrate with github actions workflow from the "Validate Collection" dropdown

 2.Choose Pipeline Action

  Decide how the pipeline should behave when vulnerabilities are found:

 Option A: Do Not Block Pipeline

  1. The security scan will run, but the pipeline will continue regardless of results
  2. Use this for monitoring purposes without interrupting deployments

 Option B: Block Pipeline

  1. The pipeline will stop if vulnerabilities meet your specified criteria
  2. Set vulnerability thresholds for different severity levels:
  3. Critical: Enter number of critical vulnerabilities that will block the pipeline
  4. High: Enter number of high-severity vulnerabilities that will block the pipeline
  5. Medium: Enter number of medium-severity vulnerabilities that will block the pipeline
  6. Low: Enter number of low-severity vulnerabilities that will block the pipeline

 Example: Setting "Critical > 0" will block the pipeline if even 1 critical vulnerability is found.

 6.Generate Integration Script

  1. Click the "Generate Script" button
  2. Copy the generated script to your clipboard

Step 3: Add Script to actions workflow

 1.Open GitHub Repo

  1. Navigate to your GitHub actions tab from the top bar
  2. Create a new workflow or open existing workflow

 2.Update Pipeline Script

  1. Add the copied script from Step 2 to your existing pipeline script

 3.Save Changes

  1. Click "Save" to apply the pipeline updates and commit the file.

Integration Complete!

Your GitHub actions workflow pipeline is now configured to automatically scan your APIs for security vulnerabilities. Here's what happens next:

  1. Automatic Scanning: Every pipeline build will trigger an API security scan
  2. Real-time Feedback: You'll receive immediate results about any vulnerabilities found
  3. Controlled Deployment: Based on your settings, the pipeline will either continue or stop depending on scan results

Troubleshooting Tips

  1. API Scanner Not Running: Ensure the API Scanner server is active before starting any pipeline builds.
  2. Authentication Issues: Verify that your API collection in API Scanner has proper authentication setup.
  3. File Not Found: Double-check that the API collection filename exactly matches what's in your GitHub repository.
  4. Connection Problems: Confirm that the Host URL is accessible from your actions workflow account.

Need Help?

If you encounter any issues during setup, verify that all prerequisite requirements are met and that the API Scanner server is running and accessible from your actions workflow environment.



Discard
Save
Draft
Edit Page New Page Revisions Page Settings

Previous Page

Left

Next Page

Right

On this page