DefenseCode ThunderScan GitHub Action with SARIF output.

• DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. ThunderScan® is easy to use and can be deployed during or after development with easy integration into DevOps environment and CI/CD pipeline.

• DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). WebScanner will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would.

Find more info in the official website: DefenseCode.com

The default output format for this GitHub Action is a SARIF output report stored in the working directory as ./thunderscan-sarif.json

ThunderScan action runs on a self-hosted runner, utilizing a ThunderScan API CLI client.

    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v2

    # ThunderScan Action
    - name: ThunderScan
      uses: defensecode/thunderscan-action@v1.0
      with:
        api_url: 'http://localhost:8999'
        client_path: '/opt/thunderscan/tsactioncli'
        api_token:  ${{ secrets.THUNDERSCAN_TOKEN }}

    - name: Expose report
      uses: actions/upload-artifact@v2
      with:
        name: SARIF results
        path: thunderscan-sarif.json
    # Uploads thunderscan-sarif.json to GitHub repository using the upload-sarif action
    - uses: github/codeql-action/upload-sarif@v1
      with:
        # Path to SARIF file relative to the root of the repository
        sarif_file: thunderscan-sarif.json