Skip to main content

Integrate SAST with GitHub Actions

Important

Before using SAST for the first time, consult the Lacework Product Team for more information as it may not work appropriately for you.

To run SAST with GitHub Actions, you must add the workflow into your repository. Then, Lacework's SAST identifies potential vulnerabilities in your code on pull requests and code pushes. The following usage provides an example GitHub Action to run Lacework’s SAST.

For additional information, consult the Lacework Code Security repository's README.

Creating Secrets

Before you can run SAST in GitHub Actions, you must add LW_ACCOUNT_NAME, LW_API_KEY and LW_API_SECRET to your GitHub repository or organization. To obtain these values:

  1. Log in to the Lacework Console.
  2. Click Settings > API keys.
  3. Select or create an API key.
  4. Click the download icon.
  5. Open the downloaded .json file to view your API Key, API Secret, and account name.
note

The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, go to the Access Control Overview.

Save Secrets in GitHub Actions

Save the above secrets in your GitHub Actions repo or org follow GitHub's instructions.

Run on Pushes or Pull Requests

To run an analysis on PRs that highlights new alerts, create a file called .github/workflows/code-analysis-pr.yml with this content:

on:

 # Triggers the workflow on push or pull request events but only for the "main" branch

 push:

   branches: [ "main" ]

 pull_request:

   branches: [ "main" ]

 # Allows you to run this workflow manually from the Actions tab

 workflow_dispatch:

permissions:
  contents: read
  pull-requests: write

env:
  LW_ACCOUNT_NAME: ${{ secrets._LW_ACCOUNT_NAME }}
  LW_API_KEY: ${{ secrets.LW_API_KEY }}
  LW_API_SECRET: ${{ secrets.LW_API_SECRET }}

name: Lacework Code Analysis (PR)
jobs:
  run-analysis:
    runs-on: ubuntu-20.04
    name: Run analysis
    strategy:
      matrix:
        target: [new, old]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Checkout old
        if: ${{ matrix.target == 'old' }}
        run: git checkout HEAD^1
      - name: Build
        run: |
           # build command
      - name: Analyze
        uses: lacework/code-security-action@v1
        with:
          target: ${{ matrix.target }}
          tools: sast
          classes: |
          # classes output or JAR file generated by the build
  display-results:
    runs-on: ubuntu-20.04
    name: Display results
    needs:
      - run-analysis
    steps:
      - name: Results
        id: code-analysis
        uses: lacework/code-security-action@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

Results

When you run SAST in GitHub, Lacework comments the results on your pull request. The comment reports the vulnerabilities introduced by the pull request and links to the file in GitHub where the potential vulnerability was found. The results also provide additional information about the vulnerability and its usage context.