Security Requirement Analysis GitHub Action

A GitHub Action to analyze your security requirements that are represented in the form of GitHub Issues. If Action classifies Issue as a security requirement, then it sets a label on it. Additionally, it recommends Security Technical Implementation Guides(STIGs) that cover the requirement. Moreover, it suggests already implemented tests on the recommended STIGs from RQCODE repository. In case of tests absence on proposed STIGs, automatically creates Issue in RQCODE repository asking to implement it.

Usage

You can use the Security Requirement Analysis GitHub Action in a GitHub Actions Workflow by configuring a YAML-based workflow file, e.g. .github/workflows/security-requirement.yaml, with the following:

name: Analyse security requirement

on:
  # triggers on Issue opened event
  issues:
    types:
      - opened

jobs:
  label:
    runs-on: ubuntu-latest
    name: Find out if Issue is security requirement
    steps:
      - uses: actions/checkout@v3
      - uses: VeriDevOps/security-issue-classification@main
        name: Label an issue, suggest STIGs and Tests
        with:
          rqcode-token: ${{ secrets.RQCODE_TOKEN }}

Inputs

rqcode-token

Required. A GitHub access token (PAT) with public_repo access in the repo scope. NOTE. The automatically provided token e.g. ${{ secrets.GITHUB_TOKEN }} can not be used, GitHub prevents this token from being able to create issues in other repositories(in our case, RQCODE repository). The reasons are explained in the GitHub Community Forum.

The solution is to manually create a PAT and store it as a secret e.g. ${{ secrets.RQCODE_TOKEN }}

label

Optional. The label to mark issue as security requirement. Default: 'security'

stigs-comment

Optional. Enable STIGs and tests suggestion from RQCODE repository through issue commenting. Default: 'true'

token

Optional. A github token used for creating an octoclient for making API calls for labeling and commenting Issues. If you want to use another user, you can specify its token. Default: ${{ github.token }}

username

Required. Username to sign-up in ARQAN microservice. Provide a unique username for ARQAN service in ${{ secrets.ARQAN_USER }}.

password

Required. Password to sign-up in ARQAN microservice. Provide a secure password for ARQAN service in ${{ secrets.ARQAN_PASS }}.

Contributing

Contributions are welcome! See CONTRIBUTING.md for step-by-step instructions.

If you need help or have a question, let us know via a GitHub issue with type Question.

License

This project is licensed under the Apache License - see the LICENSE file for details.