Skip to content

A GitHub Action that scans your public web applications for log4j vulnerabilities after every deployment. Add this to your dev, staging and prod steps and SecureStack will make sure that what you've just deployed is secure and meets your requirements.

License

Notifications You must be signed in to change notification settings

SecureStackCo/actions-log4j

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SecureStack Log4j Vulnerability Analysis GitHub Action

A GitHub Action that analyses your java source code for all versions of the log4j vulnerability that affect both log4j 1.x and 2.x. You can read more about all versions of Log4j that are affected here: https://logging.apache.org/log4j/2.x/security.html

name: Example Workflow Using the SecureStack log4j scanning Action
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo for running log4j analysis
        id: checkout
        uses: actions/[email protected]
        with:
          fetch-depth: 0
      - name: Log4j Scanning Step
        id: log4j
        uses: SecureStackCo/[email protected]
        with:
          securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
          securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
          severity: critical

Create your SecureStack API Key as GitHub Secret

  1. Create a SecureStack account using your GitHub credentials. You get 20 scans for free and you don't need to add a credit card.
  2. Once you are logged in go to "Settings" in the black drawer on the left, and then -> API tab.
  3. Generate an API key and copy the value.
  4. Go to Settings for your GitHub repository and click on Secrets -> Actions at the bottom left.
  5. Create a new secret named SECURESTACK_API_KEY and paste the value from step 2 into the field.

Retreiving your SecureStack Application ID

  1. Log in to SecureStack.
  2. Open the application you wish to analyse. If you haven't created a managed application you can follow the directions in this VIDEO to create one.
  3. Copy the value of the application id on the View Application screen.
  4. Go to Settings for your GitHub repository and click on Secrets -> Actions at the bottom left.
  5. Create a new secret named SECURESTACK_APP_ID and paste the value from step 3 into the field.

Watch this video to learn how to setup your first GitHub Action with SecureStack

IMAGE ALT TEXT

Check out our other GitHub Actions:

  1. SecureStack Secrets Analysis - Scan your application for embedded api keys, credentials and senstive data.
  2. SecureStack Software Composition Analysis (SCA) - Scan your application for vulnerable third-party and open source libraries.
  3. SecureStack Web Vulnerability & Cloud Misconfiguration Analysis - Scan your running application url for cloud misconfigurations and web vulnerabilities.

Learn more about SecureStack with our YouTube Channel:

https://www.youtube.com/watch?v=YrPITQNy9UM&list=PL_8Xjyi5rInxzhpQkDRipipmaj0lT6pJ8

Made with 💜 by SecureStack