Github Actions¶
Aura provides an integration with the GitHub actions/ security view using the native sarif output format. Here is a minimal GitHub action configuration that scans the repository using Aura and uploads the generated SARIF report which can be viewed under the security tab of your repository:
on: [push]
jobs:
aura_scan:
runs-on: ubuntu-latest
name: Scan the code with Aura
steps:
- name: aura scan
id: aura_scan
# This automatically generates the `aura_ci_report.sarif` file
uses: SourceCode-AI/actions@master
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: aura_ci_report.sarif
Please be aware that you must first enable code scanning for your GitHub repository as this functionality is currently in beta and not available by default, otherwise the GitHub action will fail with a 403 - Forbidden error.
https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning
GitHub API¶
When scanning or analyzing a package, Aura utilizes GitHub API to pull source repository metadata for (mainly) calculating the Aura score of the package. GitHub imposes a quite strict rate limit for the anonymous requests which would get depleted very quickly, for this reason, it is highly recommended to generate a private API access token that Aura can use as it raises the API limit significantly.
To get started, use the official tutorial to generate the API key: https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token . Aura needs read-only permission to read repository metadata such as the number of starts, last time of a commit, etc… (generic repo information) and a list of contributors for the repository. To access this data, aura needs the repo access permission.
After the token is generated you need to configure aura to use it. There are two options:
set the token as github_api in the API tokens YAML config section
set the token as AURA_GITHUB_API_TOKEN environment variable
You can verify the setup by running the aura info command which will check if the GitHub API token is configured and validate it.
