The zimperium-zscan action scans your mobile app binary (ios or android) and identifies the security, privacy, and compliance-related vulnerabilities.
- Identify risks and provide recommendations to mitigate the risk
- Highlights the vulnerable code snippet
- Lists the locations where the vulnerable code snippet was found
- Integrates with GitHub Advanced Security (GHAS) to display issues and remediation information inside of GitHub code scanning alerts
- Run scans for each merge or pull request
- name: Run Zimperium zScan
uses: zimperium/zscanmarketplace@v1
timeout-minutes: 60
with:
client_env: mapsfreemium
client_id: <Paste CLIENT_ID here>
client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
app_file: ./InsecureBankv2.apk
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: Zimperium.sarif
- If you use an Enterprise GitHub account, you need a GitHub Advanced Security (GHAS) license to use the zScan Action.
- If you use a Public repository, GHAS, and Code Scanning are already enabled by default.
-
If you are an existing Zimperium zScan Customer
-
- Log in to the zConsole user interface zScan platform.
-
- Click the Account Management gear icon.
-
- Click the Authorizations menu item.
-
- Click the + Generate API Key button.
-
- Enter a description and select the zScan needed permissions at the bottom. Select View for all permissions except for zScan Builds and click Upload for it.
-
- Click the Save API Access button.
-
- Click the copy icons and store both the client ID (CLIENT_ID) and the client secret (ZSCAN_CLIENT_SECRET) values.
-
- Click Close.
-
-
If you want to enroll in our 30 Day FREE TRIAL
-
- Registration - Please fill out this form to register for the free trial.
-
- Post Registration
- API Secret Key - Once you submit the registration form, an API Key will be immediately displayed. This is your ZSCAN_CLIENT_SECRET. PLEASE SAVE THIS KEY.
- API CLIENT ID - A second key will be sent to the email address you provided during registration. This is your CLIENT_ID. To set up the action, you need both keys.
-
-
If I misplace or forget my keys, what should I do?
- Resubmit the registration form with the same email address. This will not restart the trial, but it will provide you with new trial keys.
-
If I need assistance, what should I do?
- Send an email to [email protected] with the details. The subject of the email should be "GitHub zScan Action Free Trial".
You need to enable GHAS to display issues and remediation information inside of GitHub code scanning alerts. Once you acquire the GHAS license, follow the instructions below to enable GHAS.
Please Note: If you are using a Public repository, GHAS, and Code Scanning are already enabled for you by default.
- Click the Settings tab in your GitHub account.
- Click Code Security and Analysis on the left navigation pane under the Security section.
- Click Enable for GitHub Advanced Security and confirm the setting. This permits code scanning and secret scanning.
- Under GHAS, ensure that Code Scanning is enabled. This is a required step.
The secret is being added so that you can use it in the zScan workflow next. Follow the instructions below to add a secret.
- Within a Repository, go to Settings. Under Security, select “Secrets and Variables” and then “Actions.”
- Click the “New repository secret” button.
- Enter ZSCAN_CLIENT_SECRET in the Name field.
- Enter the API Secret Key you obtained from Step 1
- Click "Add secret".
- Click the "Security" tab in your repository (GHAS must be enabled).
- Click "Set up code scanning" under “Vulnerability Alert” on the left navigation pane.
- Click “Configure Scanning Tool”.
- Under the Code Scanning section, click “Explore Workflows”.
- Enter “zScan” in the search box and hit enter.
- The zScan action is displayed. Click the “Configure” button.
- The zScan.yml file will automatically be opened.
- Click the Edit button and make the following changes in the zscan.yml file.
- Change the value for client_env.
- If you are a FREE TRIAL USER, then make sure the line reads “client_env: mapsfreemium”.
- If you are a zScan customer, please review the zScan user guide for the right value.
- Please Note: The two spaces after “:” are MANDATORY.
- Change the value for client_id.
- Where it says “client_id: CNm4gbdCRIyIkv-yjUZ0_K”, change “CNm4gbdCRIyIkv-yjUZ0_K” with the CLIENT_ID from Step 1.
- Upload the app you want to scan and change the value of the app_file variable.
- Upload the app you want to scan to your main repo folder.
- Next you need to change the value of the "app_file" variable to indicate the app name and its location in the repo.
- If the app file is the main repository folder then you can change the value to “app_file: ./”. Example "app_file: ./MyBank.apk”. Else update the location accordingly.
- If you want to use the default "app_file: ./InsecureBankv2.apk", then download the InsecureBankv2 app here and upload it into your repo.
- Click “Commit changes” and choose “Commit directly to the main branch.” and commit the changes.
- Committing the changes automatically runs the zScan action.
- Click “Security” on the top navigation bar.
- Under Security in the left navigation bar, click “Code Scanning” to view all the scan results.
You must run the action on an ubuntu-latest GitHub Action runner for an existing workflow. If you do not yet have a workflow, you can add a new file called zscan.yml in your .github/workflows folder. Review the example at this location https://github.com/Zimperium/zScanMarketplace/tree/master/workflows.
File issues for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
Click here to start the process and get some promotional pricing.
This project is released under the MIT License. Zimperium zScan Platform, used in this action, has separate Terms and Conditions and requires a valid license to function.