Add GitHub Actions workflow file

To run a HawkScan test on your Javaspringvulny app, you need to add a GitHub Actions workflow file. This workflow YAML file includes configuration details for what you want to run, including running your Javaspringvulny application and running the HawkScan scanner against it. It just so happens I have a configuration that will run the Javaspringvulny application and then HawkScan using a HawkScan configuration file in your forked repo (stackhawk-actions.yml). All you need to do is create the workflow file in your fork of the project in GitHub and paste in the provided configuration.

To add the workflow file in GitHub:

  1. Click the Code tab, to go to the code view of your Javaspringvulny fork in GitHub.
  2. Click the .github/workflows folder.
  3. Click Add file and select Create new file.
  4. Copy and paste the following configuration into the file:

    stackhawk-actions-workflow.yml

    # This is a basic workflow to help you get started with GitHub Actions
    name: StackHawk Actions
    # Controls when the workflow will run
    on:
      # Triggers the workflow on push or pull request events but only for the main branch
      pull_request:
        branches: [main]
      # Allows you to run this workflow manually from the Actions tab
      workflow_dispatch:
       
    # A workflow run is made up of one or more jobs that can run sequentially or in parallel
    jobs:
      # This is the job of running the Javaspringvulny application and then running HawkScan to test it
      stackhawk-hawkscan:
        # This is the OS we chose to run the project on
        runs-on: ubuntu-latest
        # These are the sequential steps for running the action
        steps:
          # First, the action checks out the repo to get the latest version
          - name: Check out Repo!
            uses: actions/checkout@v2
          # Next, the action builds and runs the Javaspringvulny application in a Docker container
          - name: Build and Run Vulny!
            run: docker-compose build && docker-compose up -d
          # Afterwards, the action pulls down the correct version of HawkScan, in this instance 2.0.0. Then it runs HawkScan
          # against the application using the referenced API Key that was saved to the repo as a secret, and the HawkScan
          # configuration file stackhawk-actions.yml. It also stores information about the pull request event including the
          # commit SHA and branch name and stores them to the variable names COMMIT_SHA and BRANCH_NAME.
          - name: HawkScan
            uses: stackhawk/hawkscan-action@v2.0.0
            with:
              apiKey: ${{ secrets.HAWK_API_KEY }}
              configurationFiles: stackhawk-actions.yml
            env:
              COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # Get the commit SHA from GitHub -> needed for Actions
              BRANCH_NAME: ${{ github.head_ref }} # Used to display Branch name in the StackHawk UI
    
  5. Enter stackhawk-actions-workflow.yml in the Name your file . . . text box.

    GitHub name new file

  6. Scroll to the bottom and click Commit new file.

    GitHub commit changes

Next, open a PR and run a HawkScan test.