Overview

In this article we will make the necessary modifications to a GitHub Workflow using the SOOS CI Analysis GitHub Action to scan a GitHub repository with SOOS.

Integration Steps

Open the SOOS App, browse to Integrate > CI/CD/Repo > CI/CD > GitHub Actions

Note the API Key (SOOS_API_KEY), Client ID (SOOS_CLIENT_ID) and Script (Script Integration) values, you will need these to set up Environment Variables.

Technical details for the script can be found here: https://github.com/soos-io/soos-ci-analysis-github-actions 

Repo Setup

  1. Create a .github/workflows directory in your repository on GitHub if this directory does not already exist.
  2. In the .github/workflows directory, create a file named main.yml.
  3. Paste the script copied from SOOS App.

Build Setup

Setup Environment Variables

Navigate to your Project’s Settings > Secrets menu and in the “Repository secrets” section, create the SOOS_API_KEY and SOOS_CLIENT_ID secrets. These will serve as environment variables to be used by the SOOS CLI.

setup enviornment variables

Build Config

Modify the .github/workflows/main.yml file, replacing the provided project_name variable value with one that is relevant to your project:

name: Example workflow using SOOS
# Events required to engage workflow (add/edit this list as needed)
on: push
jobs:
  synchronous-analysis-with-blocking-result:
    name: SOOS Scan
    runs-on: ubuntu-latest
    steps:

      - uses: actions/checkout@master

      - name: Run SOOS - Scan for vulnerabilities
        uses: soos-io/soos-ci-analysis-github-actions@main
        with:
          project_name: "My Project Name"
        env:
          # Visit https://soos.io to get the required tokens to leverage SOOS scanning/analysis services
          SOOS_CLIENT_ID: ${{ secrets.SOOS_CLIENT_ID }}
          SOOS_API_KEY: ${{ secrets.SOOS_API_KEY }}

Run It

To run the SOOS CLI against your repository’s code, just execute a build or commit a change. The build will use the environment variables that you created for the API Key and Client ID.