Skip to main content

Integrate SCA with GitHub Actions

SCA scans dependencies inside your repo upon pull requests and code pushes. The following usage provides an example GitHub Action to run Lacework’s SCA. For additional information, consult the SCA repository's README.

Create Secrets

Before you can run SCA in GitHub Actions, you must add LW_ACCOUNT_NAME, LW_API_KEY and LW_API_SECRET to your GitHub repository or organization. To obtain these values:

  1. Log in to the Lacework Console.
  2. Click Settings > API keys.
  3. Select or create an API key.
  4. Ensure that a service user is assigned for your new or existing API key.
    1. To assign a service user:
      1. Select an API Key - Select an API key, click the edit icon, and then use the toggle and dropdown to select a service user and click Save.
      2. Create an API Key - Go to Create API key, then use the toggle and dropdown to select a service user and click Save.
  5. Click the download icon.
  6. Open the downloaded .json file to view your API Key, API Secret, and account name.
note

The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, go to the Access Control Overview.

Save Secrets in GitHub Actions

Save the above secrets in your GitHub Actions repo or org follow GitHub's instructions.

Run On Pushes or Pull Requests

To run an analysis on pushes or pull requests that highlights new alerts, create a file called .github/workflows/code-analysis-pr.yml that contains the following content:

on:

 # Triggers the workflow on push or pull request events but only for the "main" branch

 push:

   branches: [ "main" ]

 pull_request:

   branches: [ "main" ]

 # Allows you to run this workflow manually from the Actions tab

 workflow_dispatch:

permissions:
  contents: read
  pull-requests: write

env:
  LW_ACCOUNT_NAME: ${{ secrets._LW_ACCOUNT_NAME }}
  LW_API_KEY: ${{ secrets.LW_API_KEY }}
  LW_API_SECRET: ${{ secrets.LW_API_SECRET }}

name: Lacework Code Analysis (PR)
jobs:
  run-analysis:
    runs-on: ubuntu-20.04
    name: Run analysis
    strategy:
      matrix:
        target: [new, old]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Checkout old
        if: ${{ matrix.target == 'old' }}
        run: git checkout HEAD^1
      - name: Analyze
        uses: lacework/code-security-action@v1
        with:
          target: ${{ matrix.target }}
          tools: sca 
  display-results:
    runs-on: ubuntu-20.04
    name: Display results
    needs:
      - run-analysis
    steps:
      - name: Results
        id: code-analysis
        uses: lacework/code-security-action@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

Results

After running SCA in GitHub Actions, Lacework comments on your push/pull request. The comment includes a link to more information about the known vulnerability as well as additional details such as the name and severity of the vulnerability found.