From Syhunt |

Docs: Integrating Syhunt into GitHub

The information in this document applies to version 6.9.8.2 of Syhunt Hybrid.

Table of Contents

Activating a Syhunt Runner
Adding Syhunt to your Actions YML script
Start-DynamicScan Function
Start-CodeScan Function
Pass/Fail Conditions
Integrating with GitHub Issues

Introduction

Launching Syhunt scans from within a GitHub Actions YML script is simple and straightforward, allowing you to integrate the Syhunt Dynamic, Syhunt Code and Syhunt Mobile security testing tools into your continuous delivery pipeline. You can also configure GitHub issue trackers in Syhunt, allowing vulnerabilities to be submitted to the issues area of projects.

The following example GitHub Actions YML script will scan the current repository source code, failing the job if medium or high vulnerabilities are identified. In addition to this, and it attachs a PDF vulnerability report to the pipeline job artifacts.


name: syhunt test
on:
  push:
    branches:
      - main
jobs:
  build:
    runs-on: [self-hosted, Windows, X64]
    steps:
      - uses: actions/checkout@v2
      - run: Start-CodeScan -pfcond 'fail-if:risk=mediumup' -output 'report.pdf'
      - name: 'Syhunt Report'
        uses: actions/upload-artifact@v2
        if: failure()
        with:
         name: syhunt-report
         path: report.pdf
         if-no-files-found: error

Activating a Syhunt Runner

Syhunt Runner is a CI service that will receive scan requests, execute scans and communicate the scan results with GitHub.

IMPORTANT: For security and performance reasons, it is advised that the Runner is installed on a separated virtual machine or dedicated physical machine.

  1. First, install with its default settings Git for Windows, which can be downloaded at https://gitforwindows.org/
  2. Secondly, install with its default settings Syhunt Hybrid (syhunt-hybrid-7.0.12.4.exe)
  3. Finally, on GitHub.com, navigate to the main page of the repository:
    1. Under your repository name, click Settings.
    2. In the left sidebar, click Actions.
    3. In the left sidebar, under Actions, click Runners
    4. Click New self-hosted runner.
    5. Select Windows operating system and x64 architecture
    6. You will see instructions showing you how to download the runner application and install it on your self-hosted runner machine.
  4. Follow the given instructions to activate the runner with the repository's token.
    1. When you execute config.cmd, it will be asked to enter the name of the group to which the runner will be added. Press enter for Default group.
    2. Enter a name to identify the runner. Example: syhunt
    3. Enter a label for the runner. Example: syhunt
    4. Finally you will see the messages below, which indicate success:
    5. v Runner successfully added
    6. v Runner connection is good
    7. Now press enter to keep _work as the work directory.
    8. Specify if you wish to execute the runner as a Windows service (YES or NO)
  5. Now you must execute run.cmd. You should see the following message:
    1. v Connected to GitHub
    2. 2022-02-04 19:50:21Z: Listening for Jobs

Syhunt is now ready to be called from GitHub Actions scripts! See examples below

Note: A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 30 days. In addition to this, each workflow run is limited to 72 hours. If a workflow run reaches this limit, the workflow run is cancelled.

Adding Syhunt to your Actions YML script

If you don't have a workflow YML file in your repository, create a file like “.github/workflows/blank.yml” at your project’s root path.

SAST Example - The following example Github Actions YML script will scan the current repository source code, failing the job if medium or high vulnerabilities are identified. In addition to this, it attachs a PDF vulnerability report to the pipeline job artifacts.


name: syhunt test
on:
  push:
    branches:
      - main
jobs:
  build:
    runs-on: [self-hosted, Windows, X64]
    steps:
      - uses: actions/checkout@v2
      - run: Start-CodeScan -pfcond 'fail-if:risk=mediumup' -output 'report.pdf'
      - name: 'Syhunt Report'
        uses: actions/upload-artifact@v2
        if: failure()
        with:
         name: syhunt-report
         path: report.pdf
         if-no-files-found: error

DAST Example - The following example Github Actions YML script will scan the live web application after going into production, failing the job if medium or high vulnerabilities are identified. In addition to this, it attachs a PDF vulnerability report to the pipeline job artifacts.


name: syhunt test
on:
  push:
    branches:
      - main
jobs:
  build:
    runs-on: [self-hosted, Windows, X64]
    steps:
      - uses: actions/checkout@v2
      - run: Start-DynamicScan -target 'www.productionurl.com' -pfcond 'fail-if:risk=mediumup' -output 'report.pdf'
      - name: 'Syhunt Report'
        uses: actions/upload-artifact@v2
        if: failure()
        with:
         name: syhunt-report
         path: report.pdf
         if-no-files-found: error

Additional examples:


# SAST Example - Scan local directory/repository
Start-CodeScan -pfcond "medium"

# SAST Example - Scan a remote project repository
$MyProject = @{
  target = 'https://github.com/syhunt/vulnphp.git';
  branch = 'main';
  pfcond = 'medium';
  output = 'report.pdf'
}
Start-CodeScan @MyProject

# DAST Example - Scan URL
$MyWebsite= @{
  target = 'https://www.somewebsite.com';
  pfcond = 'medium';
  output = 'report.pdf'
}
Start-DynamicScan @MyWebsite

Start-DynamicScan Function

Syhunt Dynamic must be launched through the Start-DynamicScan() function. The following parameters must be provided when calling the Start-DynamicScan() function:

When using the output or outputex parameters, all output formats supported by Syhunt are available. The report or export will be saved to the current working directory, unless a full path name is provided.

Examples:


# Example 1 - Scan URL with single line
Start-DynamicScan -target 'https://www.somewebsite.com' -pfcond 'fail-if:risk=mediumup'

# Example 2 - Scan URL
$MyWebsite= @{
  target = 'https://www.somewebsite.com';
  pfcond = 'medium';
  output = 'report.pdf'
}
Start-DynamicScan @MyWebsite

Start-CodeScan Function

Syhunt Code must be launched through the Start-CodeScan() function. The following parameters can be provided when calling the Start-CodeScan() function, all of which are optional:

When using the output or outputex parameters, all output formats supported by Syhunt are available. The report or export will be saved to the current working directory, unless a full path name is provided.

Examples:


# Example 1 - Scan the current directory/repository
Start-CodeScan -pfcond "medium"

# Example 2 - Scan a remote GIT project
Start-CodeScan -target "https://github.com/someuser/somerepo.git" -huntmethod "normal" -pfcond "medium"

# Example 2 - Scan a remote Azure DevOps Services project
Start-CodeScan -target "https://dev.azure.com/user/projectname" -huntmethod "normal" -pfcond "medium"

# Example 4 - Scan a specific local directory
Start-CodeScan -target "C:\www\" -huntmethod "normal" -pfcond "medium"

Pass/Fail Conditions

The following are the pass/fail conditions currently supported by Syhunt:

Integrating with GitHub Issues

Configuring an issue tracker is an easy task and vulnerabilities can be submitted to a specific project with the click of a button.

For more details on how to submit vulnerabilities to the GitHub tracker, see: Submitting Vulnerabilities To a Tracker.


For additional product documentation, visit syhunt.com/docs

Retrieved from https://www.syhunt.com/en/index.php?n=Docs.SyhuntIntegrationGitHub
Page last modified on February 10, 2022, at 08:32 PM